A111D3  Dfi^bM? 


NAn  INST  OF  STANDARDS  &  TECH  R.I.C. 


A1 11 03089647 

Ruder,  Brian/An  analysis  of  computer  saf 
QC100  .U57  NO.500-25,  1978  C.2  NBS-PUB-C 


NCE  &  TECHNOLOGY: 


AN  ANALYSIS  OF 
COMPUTER  SECURITY 
SAFEGUARDS  FOR 
DETECTING  AND 
PREVENTING  INTENTIONAL 
COMPUTER  MISUSE 


NBS  Special  Publication  500-25 

U.S.  DEPARTMENT  OF  COMMERCE 
National  Bureau  of  Standards 


NATIONAL  BUREAU  OF  STANDARDS 

The  National  Bureau  of  Standards^  was  established  by  an  act  of  Congress  March  3,  1901.  The  Bureau's  overall  goal  is  to 
strengthen  and  advance  the  Nation's  science  and  technology  and  facilitate  their  effective  application  for  public  benefit.  To  this 
end,  the  Bureau  conducts  research  and  provides:  (1)  a  basis  for  the  Nation's  physical  measurement  system,  (2)  scientific  and 
technological  services  for  industry  and  government,  (3)  a  technical  basis  for  equity  in  trade,  and  (4)  technical  services  to  pro- 
mote public  safety.  The.  Bureau  consists  of  the  Institute  for  Basic  Standards,  the  Institute  for  Materials  Research,  the  Institute 
for  Applied  Technology,  the  Institute  for  Computer  Sciences  and  Technology,  the  Office  for  Information  Programs,  and  the 
Office  of  Experimental  Technology  Incentives  Program. 

THE  INSTITUTE  FOR  BASIC  STANDARDS  provides  the  central  basis  within  the  United  States  of  a  complete  and  consist- 
ent system  of  physical  measurement;  coordinates  that  system  with  measurement  systems  of  other  nations;  and  furnishes  essen- 
tial services  leading  to  accurate  and  uniform  physical  measurements  throughout  the  Nation's  scientific  community,  industry, 
and  commerce.  The  Institute  consists  of  the  Office  of  Measurement  Services,  and  the  following  center  and  divisions: 

Applied  Mathematics  —  Electricity  —  Mechanics  —  Heat  —  Optical  Physics  —  Center  for  Radiation  Research  —  Lab- 
oratory Astrophysics °  —  Cryogenics'  —  Electromagnetics^  —  Time  and  Frequency'. 

THE  INSTITUTE  FOR  MATERIALS  RESEARCH  conducts  materials  research  leading  to  improved  methods  of  measure- 
ment, standards,  and  data  on  the  properties  of  well-characterized  materials  needed  by  industry,  commerce,  educational  insti- 
tutions, and  Government;  provides  advisory  and  research  services  to  other  Government  agencies;  and  develops,  produces,  and 
distributes  standard  reference  materials.  The  Institute  consists  of  the  Office  of  Standard  Reference  Materials,  the  Office  of  Air 
and  Water  Measurement,  and  the  following  divisions: 

Analytical  Chemistry  —  Polymers  —  Metallurgy  —  Inorganic  Materials  —  Reactor  Radiation  —  Physical  Chemistry. 

THE  INSTITUTE  FOR  APPLIED  TECHNOLOGY  provides  technical  services  developing  and  promoting  the  use  of  avaU- 
able  technology;  cooperates  with  public  and  private  organizations  in  developing  technological  standards,  codes,  and  test  meth- 
ods; and  provides  technical  advice  services,  and  information  to  Government  agencies  and  the  public.  The  Institute  consists  of 
the  following  divisions  and  centers: 

Standards  Application  and  Analysis  —  Electronic  Technology  —  Center  for  Consumer  Product  Technology:  Product 
Systems  Analysis;  Product  Engineering  —  Center  for  Building  Technology:  Structures,  Materials,  and  Safety;  Building 
Environment;  Technical  Evaluation  and  Application  —  Center  for  Fire  Research:  Fire  Science;  Fire  Safety  Engineering. 

THE  INSTITUTE  FOR  COMPUTER  SCIENCES  AND  TECHNOLOGY  conducts  research  and  provides  technical  services 
designed  to  aid  Government  agencies  in  improving  cost  effectiveness  in  the  conduct  of  their  programs  through  the  selection, 
acquisition,  and  effective  utilization  of  automatic  data  processing  equipment;  and  serves  as  the  principal  focus  wthin  the  exec- 
utive branch  for  the  development  of  Federal  standards  for  automatic  data  processing  equipment,  techniques,  and  computer 
languages.  The  Institute  consist  of  the  following  divisions: 

Computer  Services  —  Systems  and  Software  —  Computer  Systems  Engineering  —  Information  Technology. 

THE  OFFICE  OF  EXPERIMENTAL  TECHNOLOGY  INCENTIVES  PROGRAM  seeks  to  affect  public  policy  and  process 
to  facilitate  technological  change  in  the  private  sector  by  examining  and  experimenting  with  Government  policies  and  prac- 
tices in  order  to  identify  and  remove  Government-related  barriers  and  to  correct  inherent  market  imperfections  that  impede 
the  innovation  process. 

THE  OFFICE  FOR  INFORMATION  PROGRAMS  promotes  optimum  dissemination  and  accessibility  of  scientific  informa- 
tion generated  within  NBS;  promotes  the  development  of  the  National  Standard  Reference  Data  System  and  a  system  of  in- 
formation analysis  centers  dealing  with  the  broader  aspects  of  the  National  Measurement  System;  provides  appropriate  services 
to  ensure  that  the  NBS  staff  has  optimum  accessibility  to  the  scientific  information  of  the  world.  The  Office  consists  of  the 
following  organizational  units: 

Office  of  Standard  Reference  Data  —  Office  of  Information  Activities  —  Office  of  Technical  Publications  —  Library  — 
Office  of  International  Standards  —  Office  of  International  Relations. 


'  Headquarters  and  Laboratories  at  Gaithersburg,  Maryland,  unless  otherwise  noted;  mailing  address  Washington,  D.C.  20234. 
^  Located  at  Boulder,  Colorado  80302. 


•  BATIONAL  BTJRKA' 
V  PF  BTAKDAPI 
LIBRA r' 


COMPUTER  SCIENCE  &  TECHNOLOGY:         ^  i(f  m 

An  Analysis  of  Computer  Security  Safeguards  ^ 
for  Detecting  and  Preventing  Intentional  7 
Computer  Misuse      ^^<^^g  ^^ix^c^^.w 


Brian  Ruder  and  J.D.  Madden 

Stanford  Research  Institute 
Menlo  Park,  California  94025 


Robert  P.  Blanc,  Editor 

Institute  for  Computer  Sciences  and  Technology 
National  Bureau  of  Standards 
Washington,  D.C.  20234 


U.S.  DEPARTMENT  OF  COMMERCE,  Juanita  M.  Kreps,  Secretary 
Dr.  Sidney  Harman,  Under  Secretary 

Jordan  J.  Baruch,  Assistant  Secretary  for  Science  and  Technology 
U  S  -NATIONAL  BUREAU  OF  STANDARDS,  Ernest  Ambler,  Acting  Director 

Issued  January  1978 


Reports  on  Computer  Science  and  Technology 


The  National  Bureau  of  Standards  has  a  special  responsibility  within  the  Federal 
Government  for  computer  science  and  technology  activities.  The  programs  of  the 
NBS  Institute  for  Computer  Sciences  and  Technology  are  designed  to  provide  ADP 
standards,  guidelines,  and  technical  advisory  services  to  improve  the  effectiveness  of 
computer  utilization  in  the  Federal  sector,  and  to  perform  appropriate  research  and 
development  efforts  as  foundation  for  such  activities  and  programs.  This  publication 
series  will  report  these  NBS  efforts  to  the  Federal  computer  community  as  well  as  to 
interested  specialists  in  the  academic  and  private  sectors.  Those  wishing  to  receive 
notices  of  publications  in  this  series  should  complete  and  return  the  form  at  the  end 
of  this  publication. 


National  Bureau  of  Standards  Special  Publication  500-25 

Nat.  Bur.  Stand.  (U.S.),  Spec.  Publ.  500-25,  80. pages  (Jan.  1978) 
CODEN:  XNBSAV 


Library  of  Congress  Cataloging  in  Publication  Data 

Ruder,  Brian. 

An  analysis  of  computer  safeguards  for  detecting  and  preventing 
intentional  computer  misuse. 
(Computer  science  &  technology)  (NBS  special  publication ;  500-25) 
Supt.  of  Docs,  no.:  CI 3. 10: 500-25 

1.  Computer  crimes.  2.  Computers— Access  control.  3.  Electronic 
data  processing  departments— Security  measures.  I.  Madden,  J.  D., 
joint  author.  II.  Title.  III.  Series.  IV.  Series:  United  States.  National 
Bureau  of  Standards.  Special  publication  ;  500-25. 
QC100.U57  no.  500-25  [HV6773]  602Ms  [364.  r62]  77-25368 


U.S.  GOVERNMENT  PRINTING  OFFICE 
WASHINGTON:  1978) 


For  sale  by  the  Superintendent  of  Documents,  U.S.  Government  Printing  Office 
Washington,  D.C.  20402.  Price  $2.40— Stock  No.  003-003-01871-6 


PREFACE 


The  work  reported  here  was  performed  at  Stanford  Research 
Institute  (SRI)  for  the  National  Bureau  of  Standards  (NBS) .  The 
objectives  of  the  study  are  to: 

(1)  Develop  a  working  definition  of  intentional  computer 
misuse  and  a  taxonomy  to  characterize  the  different 
types  of  intentional  computer  misuse. 

(2)  Develop  a  ranked  list  of  specific  detection  mechanisms. 

(3)  Develop  a  ranked  list  of  specific  prevention  mechanisms. 

The  detection  and  prevention  mechanisms  were  to  be  developed  as  a 
result  of  analysis  of  computer  misuse  case  files,  most  of  which  are 
maintained  by  Mr.  Donn  B.  Parker  of  SRI. 


Robert  P.  Blanc,  Editor 
Staff  Assistant  for  Computer 

Utilization  Programs 
Institute  for  Computer  Sciences 

and  Technology 
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AN  ANALYSIS  OF  COMPUTER  SECURITY  SAFEGUARDS  FOR 
DETECTING  AND  PREVENTING  INTENTIONAL  COMPUTER  MISUSE 

Brian  Ruder 
J.  D.  Madden 
Stanford  Research  Institute 
Menlo  Park,  California  94025 

ABSTRACT 

Stanford  Research  Institute  (SRI)  has  an  extensive  file  of  actual 
computer  misuse  cases.     The  National  Bureau  of  Standards  asked  SRI  to 
use  these  caaes  as  a  foundation  to  develop  ranked  lists  of  computer 
safeguards  that  would  have  prevented  or  detected  the  recorded  intentional 
misuses. 

This  report  provides  a  working  definition  of  intentional  computer 
misuse,  a  construction  of  a  vulnerability  taxonomy  of  intentional 
computer  misuse,  a  list  of  88  computer  safeguards,  and  a  model  for 
classifying  the  safeguards.     In  addition,  there  are  lists  ranking 
prevention  and  detection  safeguards,  with  an  explanation  of  the  method 
of  approach  used  to  arrive  at  the  lists. 

The  report  should  provide  the  computer  security  specialist  with 
sufficient  information  to  start  or  enhance  a  computer  safeguard  program. 

KEY  WORDS 

Computer  security;  computer  misuse;  computer  safeguards;  computer 
security  model;  computer  crime;  computer  fraud;  privacy. 
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I.  INTRODUCTION 


A  primary  objective  of  this  report  is  to  identify  computer  safeguards 
that  would  have  been  useful  in  detecting  and  preventing  actual  cases 
of  computer  misuse.     Section  VI  contains  safeguard  rankings  based  on 
cases  of  past  intentional  computer  misuse.     These  cases  span  the  spectrum 
of  computer  misuse,  but  the  number  of  cases  that  fall  into  each  vulner- 
ability category  probably  do  not  reflect  any  one  specific  computer 
environment.     Generally  speaking,  the  highest  ranking  safeguards  should 
be  best  in  most  environments,  but  the  ranking  process  is  somewhat 
subjective  due  to  the  nature  of  the  cases  and  degree  of  detail  specified 
in  the  safeguard  description.     Therefore,  the  rankings  should  not  be 
considered  absolute.     Computer  specialists  should  consider  all  tools  as 
they  develop  their  computer  protection  plan.     A  set  of  tools  and  a 
description  of  their  purpose  and  application  is  provided  in  Appendix  B. 

This  report  contains  the  results  of  six  work  efforts,  each  of  which 
is  briefly  described  below. 

The  first  effort  involved  developing  a  taxonomy  of  computer 
vulnerability  to  intentional  computer  misuse.     The  computer  vulnerability 
taxonomy  forms  the  foundation  for  the  definition  of  intentional  computer 
misuse  as  well  as  the  foundation  for  categorizing  past  cases  of  computer 
misuse.     Section  II  of  this  report  contains  this  taxonomy. 

The  second  effort  was  to  develop  a  working  definition  of  intentional 
computer  misuse.     The  persons  known  to  be  studying  the  area  of  computer 
misuse  throughout  the  country  were  contacted  to  determine  their  current 
definitions  relating  to  computer  abuse  or  computer  misuse.     The  resulting 
definition  of  intentional  computer  misuse  and  a  discussion  of  how  the 
definition  was  arrived  at  are  addressed  in  Section  III  of  this  report. 

The  third  effort  was  to  review  the  case  file  of  computer  misuses 
and  distribute  cases  into  appropriate  vulnerability  categories.  Each 
case  was  placed  in  only  one  vulnerability  category  even  though  three  or 
four  misuses  may  have  been  identified  in  the  case  writeup.     Each  case 
was  placed  in  the  category  corresponding  to  the  first  misuse  identified 
in  the  case  writeup. 

The  fourth  effort  was  to  review  case  files  to  identify  the  prevention 
and  detection  safeguard  mechanisms  in  each  case  that  would  have  mitigated 
the  misuses  in  that  case.     The  safeguards  from  a  previous  NSF  studyl 
as  well  as  those  gathered  from  other  relevant  source  material  were  used 
as  a  base  and  were  supplemented  by  the  authors'  experiences  and  ideas. 


"Computer  System  Integrity  Research  Program,"  National  Science 
Foundation  Grant  DCR74-23774. 
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The  fifth  effort  was  to  develop  a  safeguard  model  that  would 
provide  a  basis  for  describing,  identifying,  and  distributing  each 
safeguard.     The  most  useful  model  appeared  to  be  one  based  on  organi- 
zational structure.     Consequently,  safeguards  were  classified  into 
categories  bearing  the  names  of  the  organizational  element  responsible 
for  initiation  or  implementation  of  the  safeguard.     This  type  of  model 
allows  users  of  this  report  to  change  the  model  to  reflect  the  structure 
of  their  organization.     In  addition,  it  clearly  points  out  that  computer 
security  is  an  organizational  problem  and  not  just  a  data  processing  or 
internal  audit  problem.     Section  IV  of  this  report  provides  a  description 
of  the  model. 

The  sixth  effort  involved  ranking  the  safeguard  mechanisms  within 
a  vulnerability  category.     An  algorithm  was  developed  in  which  all  tools 
were  scored  as  to  their  effectiveness  against  the  cases  in  each  of  the 
vulnerability  categories.     Since  many  of  the  cases  had  little  informa- 
tion, or  lacked  specific  technical  information  to  permit  determining 
how  effective  some  of  the  safeguards  might  be,  there  is  a  subjectivity 
to  the  ranking  process  that  we  believe  reflects  SRI  technical  expertise 
and  provides  the  best  ranking  possible.     However,  the  reader  should  be 
aware  that  the  ranking  is  not  absolute  and  reflects  the  applicability  of 
the  safeguards  against  past  cases  of  misuse.     Section  VI  of  this  report 
contains  the  rankings. 

II.     TAXONOMY  OF  VULNERABILITY  TO  INTENTIONAL  MISUSE 

Three  types  of  computer  resources  to  be  protected  are  identified 
as  follows: 

•  Intellectual  property  (data  and  programs) 

•  Physical  property  (equipment  and  supplies) 

•  Computer  services  and  processes 

With  regard  to  intellectual  property,  misuses  include  unauthorized 
modification,  destruction,  and  disclosure.     With  regard  to  physical 
property,  misuses  include  unauthorized  modification,  destruction  and 
theft.    With  regard  to  services  and  processes,  the  misuses  include 
unauthorized  use  (theft)  or  denial  of  authorized  use.     Within  the 
intellectual  property  domain,  it  is  worthwhile  to  identify  whether 
or  not  the  misuse  occurred  internally  or  externally  to  the  computer 
system.     Internal  includes  activities  from  the  time  data  or  programs 
are  entered  at  a  terminal  by  reading  or  by  using  some  other  input 
device  until  the  time  they  are  output  at  a  printer,  display  terminal 
or  other  output  device.     External  activities  include  all  data  preparation 
and  data  handling  prior  to  the  time  the  data  are  entered  at  an  input 
device  and  after  the  data  are  output  at  an  output  device. 
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The  vulnerability  taxonomy  described  has  17  separate  categories. 
This  is  the  minimum  number  of  categories  required  to  differentiate  the 
different  types  of  intentional  misuses  as  far  as  this  study  is  concerned. 
Figure  1  provides  a  schematic  diagram  of  the  vulnerability  taxonomy  as 
described  above.     Appendix  A  provides  definitions  of  each  category. 


III.     DEFINITION  OF  INTENTIONAL  COMPUTER  MISUSE 


The  concept  of  intentional  computer  misuse  is  used  throughout 
the  study.     The  definition  of  intentional  computer  misuse  is  a  function 
of  the  vulnerability  taxonomy  described  in  Section  II.  Intentional 
computer  misuse  is  defined  as  an  intentional  act  directed  at  or 
committed  with  a  computer  system  or  its  associated  external  data  or 
program  activities  in  which  there  is: 


•  Unauthorized  modification,  destruction,  or 
disclosure  of  intellectual  property  (data  or 
programs),  or 

•  Unauthorized  modification,  destruction,  or 
theft  of  physical  property  (equipment  and 
supplies),  or 

•  Unauthorized  use  or  denial  of  a  computer  service 
or  process. 


This  definition  defines  intentional  computer  misuse  from  a  data 
processing  point  of  view,  consistent  with  the  objectives  of  this  report. 


IV.     SAFEGUARD  MODEL 


A  safeguard  model  provides  a  means  of  describing,  identifying, 
and  distributing  safeguards.     It  was  decided  that  the  most  useful 
model  would  reflect  organizational  structure.     This  model  reflects 
responsibility  for  initiation  or  implementation  of  the  safeguards. 
Developing  a  safeguard  model  that  is  structured  around  the  organization 
points  out  to  the  security  specialist  and  to  management  that  computer 
security  is  the  responsibility  of  many  organizational  elements.  In 
addition,  the  model  provides  a  convenient  mechanism  for  assigning 
safeguards  identified  in  this  report.     Figure  2  provides  a  schematic 
diagram  that  reflects  the  model  we  suggest.     Insurance,  personnel, 
and  contracts  are  defined  as  staff  activities,  but  could  be  placed  at 
the  same  level  as  operations,  data  processing,  security  or  audit. 
Following  is  a  brief  description  of  each  element  of  the  model: 
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•  General  Management — This  element  includes  those 
persons  or  functions  whose  primary  responsibility 
is  the  management  and  administration  of  the  agency. 
This  element  is  responsible  for  establishing  policy 
and  ensuring  that  adequate  financial  and  line 
management  support  is  provided  to  carry  out  the 
agency  charter. 

•  Personnel — This  subelement  is  responsible  for 
maintaining  personal  information  on  employees 
required  by  the  agency  as  well  as  providing  the 
official  guidelines  describing  the  policy  of  the 
agency  regarding  hiring  and  firing  criteria. 

•  Contracts — This  subelement  is  responsible  for 
ensuring  that  all  contracts,  including  those 
involving  software  and  hardware,  are  well 
specified  to  minimize  the  potential  for  loss 
resulting  from  improper  performance. 

•  Insurance — This  subelement  is  responsible  for 
ensuring  that  the  facilities,  including  software 
and  hardware,  are  adequately  insured. 

•  Operations  Division — Most  Government  agencies 
will  have  more  than  one  operations  division,  but 
conceptually  they  are  all  similar  from  a  data 
processing  point  of  view.     Consequently  the  model 
provides  for  only  one  operations  division.  An 
operations  division  is  an  organizational  unit 
responsible  for  one  general  agency  function  such 
as  logistics.     Each  operations  division  has  many 
departments,  but  only  two,  application  program 
development  and  data  handling,  are  germane  to  the 
model. 

•  Application  Program  Development — For  this  report,  all 
application  program  development  and  support  are 
placed  outside  of  data  processing,     even  though 

many  agencies  provide  application  support  within 
data  processing.     This  placement  was  chosen  for 
convenience  to  separate  application  program  safe- 
guards from  system  program  safeguards.  Application 
program  development  includes  all  facets  of  information 
collection  and  analysis,  programming,  and  testing 
required  to  develop  computer-based  systems  such  as 
payroll,  accounts  payable  and  the  like. 
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Data  Handling — This  component  Includes  all  facets 
of  data  preparation,  transport  to  and  from  input 
and  output  devices,  and  report  distribution  and 
storage. 

Audit — This  element  includes  the  internal  audit  and 
automatic  data  processing  (ADP)  audit  function. 
(The  audit  safeguards  in  this  report  reflect  primarily 
ADP  auditing.)     The  responsibility  of  this  element 
includes  verification  and  evaluation  of  controls, 
standards,  and  data  processing  results. 

Security — This  element  is  responsible  for  computer 
security,  policy  and  coordination  as  well  as 
traditional  security  items  such  as  safes,  locks,  etc. 
Many  agencies  may  have  the  computer  security 
administration  function  located  within  the  data 
processing  function.     Others  believe  it  should  be 
outside  data  processing  to  assure  it  can  operate 
independently  and  objectively. 

Data  Processing — This  element  includes  the  management 
and  operation  of  all  computer  equipment,  personnel  and 
space  to  meet  the  agency's  ADP  requirements. 

System  Control — This  element  is  responsible  for 
ensuring  the  integrity  of  the  operating  system  and 
environment  in  which  application  programs  execute. 
It  has  three  components:     Application  Interface, 
Internal  Control,  and  Hardware  Support. 

Application  Interface — This  component  is  responsible  for 
specifying  application  program  standards  and  ensuring 
that  all  application  systems  are  properly  tested  and 
documented.     It  is  also  responsible  for  program  change 
control. 

Internal  Control — This  component  is  responsible  for 
cataloging  all  internal  controls  available  and  ensuring 
that  operational  application  system  controls  are  in 
place  and  working.     In  addition,  this  component 
ensures  that  the  operating  system  has  adequate  internal 
controls  and  is  maintained  properly. 

Hardware  Support — This  component  is  responsible  for 
ensuring  that  hardware  maintenance  is  performed  in  a 
reliable  and  valid  manner.     In  addition,  this  component 
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is  responsible  for  the  acquisition  and  maintenance 
of  any  hardware  required  to  support  security 
safeguards . 

•        Operations — This  element  is  responsible  for  the  day- 
to-day  operation  of  all  computer  equipment.     It  also 
is  responsible  for  media  backup,  transport,  and 
storage. 

V.     COMPUTER  SECURITY  PROGRAM  REQUIREMENTS 

This  report  is  oriented  toward  identifying  prevention  and 
detection  safeguards  that  would  have  been  effective  against  actual 
cases  of  intentional  computer  misuse.     There  is,  however,  a  require- 
ment that  an  organization  have  an  overall  computer  security  program 
within  which  the  safeguards  can  function.     The  basis  for  a  computer 
security  program  is  management  policy  and  support  that  clearly  define 
a  computer  security  charter  and  its  scope.     Following  is  a  brief 
discussion  of  basic  elements  required  to  establish  such  a  program 
that  will  allow  the  prevention  and  detection  safeguards  to  be  effec- 
tively implemented  and  used.     It  is  important  to  note  that  the  following 
is  a  description  of  only  one  of  various  possible  organizational 
structures.     Further  guidance  will  be  forthcoming  from  NBS  in  the 
area  of  computer  security  program  requirements. 

.  Computer  Security  Policy  and  Control  -  General  management  must 
ensure  that  the  agency  has  a  computer  security  policy  coordination 
function.     This  function  may  be  the  responsiblity  of  one  or  more 
persons  who  act  as  a  focus  for  computer  security  policy  and  coordination. 
This  function  should  reside  outside  data  processing,  but  those  respon- 
sible should  work  very  closely  with  data  processing  management.  In 
the  suggested  safeguard  model,  the  policy  and  coordination  function 
would  reside  with  security.     Its  primary  responsibilities  are  to 
develop  workable  computer  security  standards  and  to  coordinate  the 
acquisition  or  implementation  of  computer  security  safeguards.  In 
addition,   this  function  works  closely  with  the  audit  function  to  verify 
compliance  to  standards  and  adequacy  of  safeguards  in  place. 

ADP  Audit  Function  -  It  is  important  to  have  well-trained  ADP 
auditors  within  the  audit  function.     The  ADP  audit  function  is  a 
relatively  new  function  that  works  almost  exclusively  verifying  the 
accuracy  and  completeness  of  computer-based  information  systems. 
General  management  must  ensure  that  the  ADP  audit  function  has  a  clearly 
defined  charter  that  includes  responsibilities  of  ADP  auditors  in 
each  of  the  following  areas: 
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1.  System  Development  -  the  ADP  auditor  monitors  the  develop- 
ment process  and  acts  as  an  advisor  to  the  user  regarding 
Internal  controls  that  should  be  designed  Into  the  applica- 
tion system.     These  controls  include  run-to-run  totals, 
logging,  and  usage  reports.     The  ADP  auditor  does  not 
participate  in  the  actual  design  or  implementation  of  the 
system. 

2.  Testing  -  the  ADP  auditor  ensures  the  adequacy  of  test 
procedures  and  verifies  the  existence  and  adequacy  of 
internal  controls. 

3.  Operations  -  the  ADP  auditor  performs  op.erational  audits 
to  ensure  compliance  to  standards  generated  by  the  system 
control  function  and  the  data  processing  function.  These 
include  standards  on  items  such  as  media  labeling, 
handling  and  storage. 

4.  Post-installation  Review  -  the  ADP  auditor  works  with  the 
user  to  determine  the  actual  characteristics  of  the  system 
and  whether  they  meet  the  users  requirements  as  Intended. 

5.  Thru-the-Computer-Audit  -  the  ADP  auditors  should  use  the 
computer  to  assist  them  in  auditing  information  accuracy  and 
completeness.     In  particular,  the  auditors  should  include 
audit  of  data  stored  internally  to  the  computer  system, 
i.e.,   the  auditors  should  not  audit  "around  the  computer." 

System  Design  Standards  -  General  management  should  ensure  that 
internal  controls  and  other  security  mechanisms  are  included  among  the 
system  design  considerations.     Standards  or  guidelines  should  be 
established  to  ensure  that  they  are  included. 

Insurance  -  General  management  should  require  that  the  ADP 
insurance  program  is  current  and  that  a  risk  assessment  is  made  to 
establish  the  completeness  of  items  insured  and  the  amounts  for  which 
they  are  insured. 

Contracts  -  General  management  should  ensure  that  the  responsible 
personnel  in  the  contracts  office  are  properly  trained  in  ADP  technolog 
and  terminology  and  are  aware  of  particular  problems  associated  with 
contracting  for  computer  programs,  ADP  equipment,  supplies  and  services 

It  is  important  that  general  management  recognize  the  importance 
of  its  role  in  any  successful  computer  security  program.     A  study  for 
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the  Institute  of  Internal  Auditors  recently  completed  by  SRI  indicates 
that  general  management  support  for  audit  and  control  programs  needs 
to  be  improved  if  the  integrity  of  computer-based  information  systems 
is  to  be  ensured. 

Safeguard  Implementation  Strategy  -  An  important  point  to  consider 
in  developing  a  safeguard  program  is  how  the  safeguards  should  be 
applied,  i.e.,  the  strategy  of  safeguarding  computer  systems.  Providing 
a  complete  strategy  is  beyond  the  scope  of  this  report,  but  a  few 
basic  considerations  are  provided. 

First,  the  case  files  indicated  that  the  most  misused  systems 
include: 

•  Payroll 

•  Accounts  payable  and  receivable 

•  Certificate  generating  (license,  stocks,  etc.) 

•  Social  payment  (welfare  and  other  benefits) 

•  Operating  system  (vendor-supplied  system  that 

runs  the  computer) 

These  systems  should  be  protected  first. 

Second,  the  safeguards  provided  are  broad  in  their  application. 
The  security  specialist  must  consider  the  safeguards  in  the  context 
of  the  specific  environment. 

Third,  the  method  for  determining  which  safeguards  are  best  for 
a  particular  environment  requires  the  establishment  of  a  formal 
risk  assessment.     Guidelines  for  Automatic  Data  Processing  Physical 
Security  and  Risk  Management   (FIPS  PUB  31)  and  Automatic  Data  Processing 
Risk  Assessment  (NBSIR  77-1228)  both  published  by  NBS  are  excellent 
documents  to  start  the  risk  assessment  process.     The  most  important 
item  to  recognize  in  performing  a  risk  assessment  is  that  no  two  ADP 
environments  are  the  same  and  thus  each  environment  must  be  evaluated  to 
determine  the  best  strategy  for  protecting  it. 

VI.     SAFEGUARD  ANALYSIS  AND  RANKINGS 

Safeguard  Classification 

For  this  report,  a  safeguard  is  classified  as  a  detection  mechanism 
if  it  operates  after  the  occurence  of  the  misuse,  regardless  of  whether 
it  operates  within  a  few  seconds  or  a  number  of  days  after  the  misuse. 
In  a  number  of  cases,  the  time  period  in  which  the  safeguard  operates  is 
a  function  of  how  it  is  implemented  and  used  within  an  organization. 
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For  example,  some  of  the  logging  safeguards  could  be  Implemented  to 
trigger  an  action  when  a  specific  type  of  record  is  encountered  or  to 
allow  review  of  the  record  at  the  end  of  some  specified  time  period, 
possibly  a  day. 

A  total  of  88  safeguards  are  described  in  this  report.     Of  these 
32  are  detection  safeguards  and  56  are  prevention  safeguards.     Of  the 
32  detection  safeguards,  15  are  within  the  responsibility  of  the  Audit 
function.     Most  audit  safeguards  are  for  use  by  ADP  auditors.     The  ADP 
Audit  function  is  rapidly  becoming  one  of  the  most  important  functions 
within  organizations  concerned  with  vulnerabilities  of  computer  systems. 

The  Internal  Control  element  within  the  data  processing  function 
has  responsibility  for  19  safeguards  because  of  the  definition  assigned 
to  that  element.     It  was  given  responsibility  for  many  of  the  password 
safeguards  that  could  fall  under  the  security  function.     The  Internal 
Control  element  is  one  of  the  most  important  security  control  functions 
as  is  the  Audit  function. 

The  88  safeguards  are  listed  in  Table  1.     Their  order  of  listing  is 
based  on  the  safeguard  model,  with  General  Management  safeguards  first 
and  those  from  Operations  in  Data  Processing  last.     Within  each 
organizational  element  category,  the  detection  safeguards  appear  before 
prevention  safeguards.     An  attempt  has  been  made  to  list  the  highest 
ranking  safeguards  first  within  a  given  category.     A  "D"  entry  in  the 
table  indicates  that  the  associated  safeguard  has  some  capability  for 
detecting  misuses  in  that  vulnerability  category.     Similarly,  a  "P" 
entry  indicates  that  the  safeguard  has  some  capability  to  prevent 
misuses  in  the  indicated  vulnerability  category.     Appendix  B  contains 
formatted  descriptions  of  each  of  the  safeguards.     Safeguards  in 
Appendix  B  are  listed  in  the  same  order  as  they  appear  in  Table  1. 

Safeguard  Rankings 

Table  2  provides  a  list  of  the  top  25  ranked  detection  safeguards 
within  vulnerability  categories,  and  Table  3  provides  a  similar  list 
for  the  top  31  ranked  prevention  safeguards.     Only  those  safeguards 
that  were  ranked  in  the  top  five  on  the  basis  of  effectiveness  for  one 
of  the  vulnerability  categories  were  included.     A  "1"  entry  in  Table 
2  or  3  indicates  that  the  associated  safeguard  was  deemed  to  be  the  most 
effective  safeguard  against  the  specified  vulnerability  category.  As 
an  example,  for  the  vulnerability  category  in  Table  2,  Internal  Program 
Disclosure,  the  five  most  effective  detection  safeguards,  listing  the 
most  effective  one  first  are: 
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RANK 


DETECTION  SAFEGUARD 


1 


User  Command  Log 


2 


Sensitive  File  Access  Log 


3 


Operator  Console  Log 


4 


Media  Usage  Log 


5 


Computer  Resource  Usage  Audit 


It  should  be  pointed  out  that  not  all  vulnerability  categories  in 
either  Tables  2  or  3  contain  five  ranked  safeguards  (e.g.,  the  Computer 
Equipment  and  Supplies/Modification  category  in  Table  3) .     The  reason 
for  this  is  that  some  vulnerability  categories  have  fewer  than  five 
safeguards  deemed  effective. 

One  caution  is  indicated  in  interpreting  Tables  2  and  3.  The 
safeguards  are  ranked  only  within  a  given  vulnerability  category  and 
can  be  considered  valid  over  a  reasonable  range  of  installations.  As 
previously  mentioned,  rankings,  to  some  degree,  are  dependent  on 
environment.     For  Tables  2  and  3  comparisons  between  vulnerability  cate- 
gories are  meaningless.     Tables  4  and  5  provide  lists  of  safeguards 
ranked  across  all  vulnerability  categories. 

Table  4  presents  the  eight  most  effective  detection  safeguards, 
and  Table  5  presents  the  eight  most  effective  prevention  safeguards. 
For  example.  Table  5  indicates  that  on  a  consensus  basis.  Application 
System  Design  Verification  is  the  most  effective  prevention  safeguard 
and  Data  Center  Access  Control  is  ranked  fifth. 

Great  care  must  be  exercised  in  interpreting  Tables  4  and  5.  They 
are  based  on  assumptions  of  limited  validity  at  best. 

To  arrive  at  a  consensus,  an  assumption  was  made  that  all  vulner- 
ability categories  are  of  equal  importance.     It  is  unlikely,  however, 
that  this  assumption  is  completely  true  for  any  given  installation, 
and  for  some  it  may  have  no  validity. 

Another  assumption  made  was  that  all  of  the  safeguards  are  of  the 
same  degree  of  generality.     The  very  general  safeguards  tend  to  receive 
a  higher  consensus  score  than  the  specific  safeguards  even  though  it 
may  not  be  possible  to  implement  the  general  safeguards  completely, 
and  their  implementation  is  likely  to  be  more  expensive.     In  Table  4, 
Operations  Area  Surveillance  is  the  highest  ranked  safeguard.     If  a 
single  general  audit  safeguard  had  been  used  instead  of  15  more 
specific  safeguards,  almost  certainly  the  single  audit  would  have 
ranked  first. 
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Table  4 


CONSENSUS  RANKING:     DETECTION  SAPEGUARDS 


Ranking 


Security 

1.     Operations  Area  Surveillance  1 

Internal  Control 

1.  User  Command  Log  2 

3.  Sensitive  File  Access  Log  3 

2.  Data  Transformation  4 

Security 

2.  Area  Alarm  System  5 
Audit 

5.     Data  Handling  Audit  6 

Internal  Control 

4.  Operator  Console  Log  7 

Audit 

4.     Selected  Transaction  Audit  8 


Table  5 

CONSENSUS  RANKING:     PREVENTION  SAFEGUARDS 


Ranking 


Audit 

16.     Application  System  Design  Verification  1 

Application  Interface 

1.     Application  System  Test  2 

Personnel 

1.  Employee  Termination  Policy  3 

Data  Processing 

3.     Password  Protection  System  4 

Security 

3.  Data  Center  Access  Control  5 

4.  Fire  Detection  and  Extinguishment  6 

Data  Handling 

2.  Input/Output  Data  Control  7 

3.  Input/Output  Data  Storage  8 
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VII.     SUMMARY  AND  CONCLUSIONS 


This  report  provides  a  foundation  for  the  development  of  a  computer 
safeguard  program  directed  toward  the  detection  and  prevention  of 
intentional  computer  misuse.     The  definition  of  intentional  computer 
misuse  and  the  construction  of  an  associated  vulnerability  taxonomy 
are  believed  to  be  comprehensive  and  complete.     The  safeguards  described 
in  the  report  were  developed  as  a  result  of  analysis  of  actual  cases  of 
computer  misuse  on  record  at  SRI  and  other  research  organizations.  The 
safeguards  are  ranked  within  each  vulnerability  category  and  across  all 
categories,  but  the  rankings  are  not  absolute. 

Three  final  considerations  are  noteworthy.       First,  to 
develop  a  safeguard  program,  it  is  necessary  to  know  what  safeguards 
are  required  and  who  is  responsible  for  their  initiation  or  implemen- 
tation.    In  this  report  an  organizational  model  for  assigning  responsi- 
bility is  presented.     Whereas  the  model  provides  a  good  classification 
scheme  for  this  report,  it  requires  additional  work  to  show  the 
interrelationships  between  general  management,  line  management,  and  staff 
employees.     The  model  indicates  that  all  elements  of  an  agency  or 
organization  have  some  responsibility  for  computer  security,  but 
it  does  not  address  the  responsibilities  of  individuals. 

Secondly,  it  would  be  useful  to  have  a  comprehensive  format  to 
describe  safeguards.     In  a  review  of  an  actual  case  of  misuse,  a 
specific  safeguard  that  would  prevent  or  detect  that  misuse  can  be 
conceived.     When  a  new  but  similar  case  is  reviewed,  the  same  safeguard 
with  slight  modification  is  required.     After  twenty  to  thirty  such 
reviews,  one  either  has  twenty  specific  but  very  similar  safeguards  or 
the  tool  description  becomes  somewhat  general.     In  describing  the 
safeguards,  this  report  attempts  to  provide  sufficient  detail  for  the 
security  specialist.     Nonetheless,  a  comprehensive  safeguard  description 
format  would  allow  many  different  organizations  to  report  safeguards 
in  a  standard  format. 

Thirdly,  it  is  outside  the  scope  of  this  report  to  describe 
different  safeguard  implementation  strategies.     A  formal  risk  assess- 
ment must  be  performed  as  a  necessary  step  in  determining  the  safeguard 
implementation  strategy  for  any  particular  environment. 
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Appendix  A 


VULNERABILITY  CATEGORY  DEFINITIONS 

Following  are  definitions  of  the  seventeen  vulnerability  categorie 
that  make  up  the  vulnerability  taxonomy.  Modification  has  been  defined 
to  include  selective  destruction  in  which  the  intent  of  the  destruction 
is  personal  gain--e,g.,  destroying  a  record  of  a  personal  bill.  De- 
struction has  been  restricted  to  include  malicious  acts  in  which  the  pr 
intent  was  to  cause  damage — e,g.,  throwing  disk  packs  out  the  window. 

1.     Unauthorized  Modification  of  Data  Internal  to  the  Computer  System 
(DMI) 

Vulnerabilities  include  unauthorized  modification  of  computer 
data  residing  within  the  computer  system  proper.     Covered  are 
insertion  of  new  data  and  modification  or  deletion  of  existing 
data  by  using  an  application  system,  system  programs,  or 
system  facilities. 


2.     Unauthorized  Destruction  of  Data  Internal  to  the  Computer  System 
(DDel) 

Vulnerabilities  include  unauthorized  destruction  of  computer 
data  residing  within  the  computer  system  proper.     Entailed  is 
the  intentional  arbitrary  destruction  of  existing  data  by 
using  an  application  system,  system  programs,  or  system 
facilities . 


3.  Unauthorized  Disclosure  of  Data  Stored  Internal  to  the  Computer 
System  (DDil) 

Vulnerabilities  include  unauthorized  disclosure  of  computer 
data  residing  within  the  computer  system  proper.     Entailed  is 
the  disclosure  to  unauthorized  persons  of  existing  data  ob- 
tained by  using  an  application  system,  system  programs,  or 
system  facilities. 

4.  Unauthorized  Modification  of  Programs  Internal  to  the  Computer 
System  (PMI) 

Vulnerabilities  include  unauthorized  modification  of  programs 
residing  within  the  computer  system  proper.     Covered  are  in- 
sertion of  new  program  modules  and  modification  or  deletion 
of  existing  programs  by  using  an  application  system,  system 
programs,  or  system  facilities. 
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5.     Unauthorized  Destruction  of  Programs  Internal  to  the  Computer 
System  (PDel) 

Vulnerabilities  include  unauthorized  destruction  of  programs 
residing  within  the  computer  system  proper.     Entailed  is  the 
intentional  arbitrary  destruction  of  existing  programs  by 
using  an  application  system,  system  programs,  or  system 
facilities . 


6.  Unauthorized  Disclosure  of  Programs  Stored  Internal  to  the 
Computer  System  (PDil) 

Vulnerabilities  include  unauthorized  disclosure  of  programs 
residing  within  the  computer  system  proper.     Entailed  is  the 
disclosure  to  unauthorized  persons  of  existing  programs  ob- 
tained by  using  an  application  system,  system  programs,  or 
system  facilities. 

7.  Unauthorized  Modification  of  Data  External  to  the  Computer 
System  (DME) 

Vulnerabilities  include  unauthorized  physical  modification 

of  computer  data  residing  outside  the  computer  system 

proper.     Examples  of  misuse  that  might  be  committed  during  data 

origination,  data  preparation,  or  input  handling  are 

insertion  of  new  data  and  modification  or  deletion  of 

existing  data. 

8.  Unauthorized  Destruction  of  Data  External  to  the  Computer 
System  (DDeE) 

Vulnerabilities  include  unauthorized  physical  destruction 
of  computer  data  residing  outside  the  computer  system  proper. 
Entailed  is  the  intentional  arbitrary  destruction  of  data 
destined  either  as  input  to  the  system  or  output  from  the  system, 

9.  Unauthorized  Disclosure  of  Data  Stored  External  to  the 
Computer  System  (DDiE) 

Vulnerabilities  include  unauthorized  disclosure  of  computer 
data  residing  outside  the  computer  system  proper.  Entailed 
is  the  disclosure  to  unauthorized  persons  of  data  destined 
either  as  input  to  the  system  or  output  from  the  system. 
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10.  Unauthorized  Modification  of  Programs  External  to  the  Computer 
System  (PME) 

Vulnerabilities  include  unauthorized  modification  of  programs 
residing  outside  the  computer  system  proper.     Covered  are  in- 
sertion of  new  program  modules  and  modification  or  deletion 
of  existing  programs  stored  on  cards,  tapes,  or  disks, 
possibly  by  using  outside  computer  facilities. 

11.  Unauthorized  Destruction  of  Programs  External  to  the  Computer 
System  (PDeE) 

Vulnerabilities  include  unauthorized  destruction  of  programs 
residing  outside  the  computer  system  proper.     Entailed  is  the 
intentional  arbitrary  destruction  of  existing  programs  stored 
on  cards,  tapes,  or  disks,  possibly  by  using  outside  computer 
facilities . 


12.  Unauthorized  Disclosure  of  Programs  Stored  External  to  the 
Computer  System  (PDiE) 

Vulnerabilities  include  unauthorized  disclosure  of  programs 
residing  outside  the  computer  system  proper.     Entailed  is 
the  disclosure  to  unauthorized  persons  of  existing  programs 
stored  on  listings,  cards,  tapes,  disks,  or  other  storage 
media,   possibly  by  using  outside  computer  facilities. 

13.  Unauthorized  Modification  of  Computer  Equipment  or  Supplies 
(CE&SM) 

Vulnerabilities  include  unauthorized  physical  modification 
of  computer  system  equipment  or  supplies.     Covered  are  in- 
sertion of  a  new  element,  substitution  of  one  element  for 
another,  and  modification  or  deletion  of  an  existing  ele- 
ment with  intent  to  benefit  or  for  malicious  reasons. 


14.     Unauthorized  Destruction  of  Computer  Equipment  or  Supplies 
(CE&SDe) 

Vulnerabilities  include  unauthorized  physical  destruction 
of  computer  system  equipment  and  supplies.     Entailed  is 
intentional  arbitrary  destruction. 
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15.  Theft  of  Computer  Equipment  or  Supplies  (CE&ST) 

Vulnerabilities  include  theft  of  computer  system  equip- 
ment or  supplies  with  intent  to  benefit  or  for  malicious 
reasons . 

16.  Unauthorized  Use  of  Computer  System  Services  (SST) 

Vulnerabilities  include  the  unauthorized  use  of  any 
computer  system  services  or  resources. 

17.  Denial  of  Computer  System  Services  (SSD) 

Vulnerabilities  include  the  denial  of  computer  system 
services  to  authorized  users.     Entailed  is  the  intentional 
denial  of  system  services. 
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Appendix  B 


FORMATTED  SAFEGUARD  DESCRIPTIONS 

Each  of  the  88  safeguards  is    described  in  this  appendix.  They 
are  listed  in  the  same  order  as  they  are    presented  in  Table  1.  The 
CATEGORY  descriptor  identifies  the  organizational  element  responsible 
for  the  safeguard.     The  COMMENTS  descriptor  indicates  whether  the 
safeguard  must  be  designed  into  the  system  or  environment  or  whether 
retrofit  is  possible.     In  some  instances,  the  COMMENTS  section  contains 
additional  information  believed  to  be  useful  in  understanding  special 
characteristics  of  the  safeguard. 

For  convenience  the  last  page  of  this  appendix  contains  an  alpha- 
betized listing  of  all  vulnerability  category  abbreviations  with 
associated  meanings. 
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NAME: 


Adjustment/Correction  Reporting 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 


General  Management  1 

Policy,  procedures,  and  software  to  provide  reports 
of  adjustment/correction  transactions  covering  the 
sphere  of  influence  for  each  manager.     For  example, 
any  modification,  updates,  deletions,  or  other 
changes  to  the  payroll  master  file  should  be  re- 
ported regularly  to  the  manager  of  payroll  systems 
for  his  information  and  action. 

To  detect  unauthorized  modification  of  data. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI ,  DME 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


Job  Rotation 
General  Management  2 

Policy  and  procedures  to  periodically  rotate  those 
positions  that  have  a  great  deal  of  authority 
among  individuals  in  the  data  handling  process. 
For  example ,     the  position  responsible  for  address 
changes  should  be  assumed  by  new  persons  period- 
ically and  without  notice.     The  new  person's  first 
responsibility  would  be  to  verify  the  integrity  of 
the  file. 


PURPOSE ; 


To  detect  unauthorized  modification  of  data, 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DME 

Retrofit 
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NAME: 
CATEGORY: 


Disaster  Avoidance 
General  Management  3 


DESCRIPTION:  Policy  that  facilities,  both  central  and  remote, 

are  to  be  designed  and  constructed  (or  modified) 
so  as  to  provide  maximum  protection  against  natural 
disasters  and  against  persons  intent  on  destroy- 
ing physical  or  intellectual  property. 
Documents,  such  as  Guidelines  for  Automatic  Data 
Processing  Physical  Security  and  Risk  Management, 
FIPS  PUB  31,  can  be  used  to  assess  the  vulnerability 
to  natural  disasters. 

PURPOSE:  To  prevent  unauthorized  destruction  of  data,  programs, 

system  equipment,  or  supplies. 


APPLICABLE 
VULNERABILITY 

CATEGORIES:  DDeE ,  PDeE ,  CE&SDe 


COMMENTS:  Although  this  safeguard  is  important  even  after 

facilities  have  been  constructed  and  occupied,  it 
is  of  greater  value  when  planning  new  facilities. 


NAME: 

CATEGORY: 

DESCRIPTION: 


Employee  Termination  Policy 
Personnel  1 

Policy  and  procedures  to  effect  immediate  restric- 
tion of  terminated  employee's  access  to  sensitive 
material  and  areas.     The  intent  of  this  safeguard 
is  to  ensure  that  disgruntled  terminated  employees 
are  not  in  the  position  to  destroy  or  disclose 
facilities  or  information. 


PURPOSE:  To  prevent  destruction  (or  denial)  of  data, 

programs,  equipment,  or  services  and  unauthorized 
disclosure  of  data  and  programs. 


APPLICABLE 
VULNERABILITY 

CATEGORIES:  DDil ,  PDel ,  PDil,  DDeE,  DDiE,  DDel ,  PDeE,  PDiE, 

CS&EDe,  SSD 


COMMENTS:  Retrofit;  There  were  numerous  cases  in  the  file 

in  which  disgruntled  employees  destroyed  data, 
programs,  or  equipment  after  their  termination 
notice  but  before  their  actual  departure. 
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NAME: 


Mailing  List  Check 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 


Operations  Division  1 

Policy  and  procedures  to  insert  dummy  names  with 
known  addresses  into  mailing  lists.     Receipt  of 
mail  at  these  addresses  will  indicate  that  the 
mailing  list  is  being  misused.     This  will  detect 
unauthorized  disclosure  of  sensitive  internal 
lists . 

To  detect  unauthorized  disclosure  and  usage  of 
sensitive  internal  use  only  mailing  lists. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DDil,  DDiE 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION; 


PURPOSE : 

APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


External  Data  Responsibility  Separation 
Operations  Division  2 

Policy  and  procedure  to  ensure  that  functions  at 
critical  points  in  the  data-handling  process  are 
carried  out  by  different  individuals.     For  example, 
the  same  person  should  not  handle  address  changes 
and  establishment  of  new  accounts. 

To  prevent  unauthorized  modification  of  data. 


DME 

Retrofit 
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NAME: 


Personal  Record  Access  Check 


CATEGORY: 


Application  Program  Development  1 
(Operations  Division) 


DESCRIPTION: 


Procedures  and  software  to  monitor  and  log  access 
of  users  to  their  own  records.     For  example^ 
software  can  be  added  to  the  application  program 
that  maintains  a  list  of  authorized  users  with 
personal  records  in  the  file.     Each  time  one  of 
these  persons  accesses  the  file,  a  record  is  sent 
to  the  log  and  reviewed  by  appropriate  personnel. 
For  files  such  as  payroll,  the  program  will  have 
to  ascertain  whether  or  not  the  person  has  access 
to  his  or  her  data;  if  so,  additional  programming 
may  be  required. 


PURPOSE : 


To  detect  unauthorized  modification  of  data. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DMI,  DME 
Retrofit 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Record  Volume  Control 

Application  Program  Development  2 
(Operations  Division) 

Procedures  and  software  to  require  specification 
and  checking  of  I/O  record  volume  by  programs. 
For  example,     application  systems  should  have 
control  points  where  input/output  record  counts 
are  reconciled  before  the  next  job  step  is 
initiated . 

To  prevent  unauthorized  modification  of  data. 


DMI ,  DME 
Retrofit 


-B5- 


NAME: 


Terminal  Log-off 


CATEGORY: 


Application  Program  Development  3 
(Operations  Division) 


DESCRIPTION: 


Software  to  provide  automatic  log-off  of  a 
terminal  that  has  been  idle  for  a  specified 
time  interval.     The  length  of  time  will  vary 
with  the  type  of  system  and  terminal  access 
controls  in  use. 


PURPOSE ; 


To  prevent  unauthorized  modification,  destruction, 
or  disclosure  of  intellectual  property  or  denial 
or  theft  of  service  or  process. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DMI,  DDel,  DDil,  PMI ,  PDel ,  PDil ,  SST,  SSD 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 


I/O  Volume  Count  Comparison 

Data  Handling  1  (Operations  Division) 

Procedures  and  software  to  ensure  that  users 
compare  I/O  volume  against  predicted  requirements. 
For  example,     the  person  responsible  for  making 
modifications  to  the  payroll  file  should  be  re- 
quired to  predict  the  number  of  records  to  be 
changed  and  verify  that  exactly  this  number  was 
changed . 

To  detect  unauthorized  destruction,  disclosure  (or 
theft)  of  data  or  programs. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DDel ,  DDil ,  PDel ,  PDil 
Retrofit 


-B6- 


NMTE: 


I/O  Data  Control 


CATEGORY : 


Data  Handling  2  (Operations  Division) 
Operations  2  (Data  Processing) 


DESCRIPTION: 


Procedures  to  ensure  that  specific  control  points 
exist  for  data  movement  throughout  the  user  area. 
The  intent  is  to  provide  for  traceability  and 
accountability . 


PURPOSE ; 


To  prevent  unauthorized  modification  or  disclosure 
of  data  or  programs. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 


DME,  DDiE,  PME,  PDiE 


COMMENTS ; 


Retrofit;  The  most  numerous  incidents  of  misuse 
identified  are  in  the  data-handling  areas  outside 
the  computer  system.     Each  organization  has  to 
develop  specific  control  points  that  are  meaningful 
within  the  context  of  its  environment. 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE ; 


I/O  Data  Storage 

Data  Handling  3  (Operations  Division) 
Operations  3  (Data  Processing) 

Procedures  and  facilities  to  provide  lockable 
storage  for  sensitive  data,  programs,  and  reports. 
This  safeguard  is  not  directed  at  government 
classified  material. 

To  prevent  unauthorized  modification,  destruction, 
or  disclosure  of  data  or  programs . 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DME,  DDeE,  DDiE,  PME,  PDeE,  PDiE 

Retrofit;  In  a  large  number  of  cases,  had  safes  or 
other  lockable  storage  been  used,  not  only  would 
much  of  the  data  disclosure  problem  been  solved, 
but  much  of  the  data  and  program  destruction 
problem  would  have  been  reduced. 
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NAME: 


I/O  Data  Movement  Control 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Data  Handling  4  (Operations  Division) 

Procedures  to  use  transmittal  slips  to  effect 
positive  controls  (such  as  traceability)  over  data 
being  moved  between  user  areas  and  the  computer 
center. 

To  prevent  unauthorized  modification  or  disclosure 
of  data  or  programs. 


DME,  DDiE,  PME ,  PDiE 
Retrofit 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE : 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


External  Sensitive  Area  Access  Control 

Data  Handling  5  (Operations  Division) 
Operations  5  (Data  Processing) 

Procedures  and  facilities  to  deny  or  control 
unauthorized  personnel  access  to  sensitive  user 
work  areas.     The  intent  of  this  safeguard  is  to 
ensure  that  a  minimum  number  of  people  have  access 
to  user  work  areas  where  they  might  be  able  to 
change  records  that  are  in  a  format  they  understand, 

To  prevent  unauthorized  modification,  destruction 
or  disclosure  of  data  or  programs. 


DME,  DDeE,  DDiE,  PME,  PDeE,  PDiE 
Retrofit 
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NAME: 


I/O  Data  Movement  Security 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 


Data  Handling  6  (Operations  Division) 

Procedures  and  facilities  to  provide  lockable 
containers  for  moving  data  and  output  between 
user  areas  and  the  computer  center  or  remote 
entry  stations. 

To  prevent  unauthorized  modification  or  disclosure 
of  data. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DME,  DDiE 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Address  Change  Control 

Data  Handling  7  (Operations  Division) 

Procedures  to  provide  special  controls  over  receipt 
and  validation  of  address  change  data.     Of  specific 
interest  are  addresses  to  which  checks  or  other 
sensitive  documents  are  sent.     A  large  number  of 
cases  involved  the  establishment  of  ficticious 
companies  and  changing  the  accounts  payable 
system  to  send  checks  to  that  company.  Usually 
the  system  was  not  actually  modified,  but  rather 
false  entries  were  introduced  by  authorized  users. 

To  prevent  unauthorized  modification  of  data. 


DME 

Retrofit 
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NAME: 


User  Interface  Data  Control 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Data  Handling  8  (Operations  Division) 

Procedures  to  provide  for  special  controls ,  such 
as  brief  memoranda,  over  receipt  and  validation  of 
data  supplied  directly  by  third  parties,  outside 
the  normal  procedures.     The  intent  of  this  safe- 
guard is  to  prevent  persons  such  as  programmers 
from  calling  the  operator  to  change  or  fix  programs 
in  emergency  situations  without  proper  documentation, 

To  prevent  unauthorized  modification  of  data. 


DME 

Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Audit  by  Extended  Records 
Audit  1 

Procedures  and  software  to  enable  application 
programs  to  append  audit  information  to  the 
transaction  record,  thus  providing  a  complete 
audit  trail  contained  as  a  part  of  the  transaction, 
For  example,  a  billing  transaction  might  have 
recorded  items  such  as: 

•  A  reason  code  for  credits  or  adjustments 

•  A  code  to  indicate  whether  it  was  a 
back-ordered  item 

•  A  code  to  indicate  whether  pricing  was 
special  and  who  authorized  it 

To  detect  unauthorized  modification  of  data. 


DMI,  DME 

Difficult  to  retrofit  into  existing  application 
systems . 
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NAME: 


Audit  by  Parallel  Simulation 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 

APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


Audit  2 

Procedures  and  software  to  process  production 
transactions  with  programs  that  simulate  critical 
aspects  of  application  system  logic  and  to  verify 
selected  processing  functions  by  comparing  simulation 
results  to  production  processing  results.  For 
example,     a  bank  simulates  savings  interest  cal- 
culations for  all  of  its  passbook  savings  customers. 
Since  the  simulation  program  verifies  only  the 
interest  accrual  calculations,  it  is  much  less 
complex  than  the  passbook  update  application 
system. 

To  detect  unauthorized  modification  of  programs. 


PMI,  PME 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


Code  Comparison  Audit 
Audit  3 

Procedures  and  software  to  compare  two  source 
programs,  one  of  which  is  a  control  program, 
and  identify  differences.     After  this  comparison, 
the  auditor  verifies  that  differences  have  been 
authorized  by  appropriate  personnel  and  are 
properly  documented. 

To  detect  unauthorized  modification  of  programs. 


PMI,  PME 
Retrofit 
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NAME: 


Selected  Transaction  Audit 


CATEGORY: 
DESCRIPTION: 


PURPOSE 


Audit  4 

Procedures  and  software  to  allow  audit  subroutines 
to  execute  with,  but  independent  of,  application 
systems  to  screen  and  select  for  later  review  any 
transactions  of  interest.     The  kinds  of  trans- 
actions to  be  selected  are  determined  by  a  set  of 
input  parameters  at  the  time  the  audit  subroutines 
are  exercised. 

To  detect  unauthorized  modification  of  data. 


APPLICABLE 
VULNERABILITY 
CATEGORIES  :' 

COMMENTS : 


DMI,  DME 

Difficult  to  retrofit  into  existing  application 
systems;  many  of  the  misuses  associated  with 
financial  systems  would  have  been  detected  in  the 
early  stages  had  this  safeguard  been  in  use  and 
used  regularly. 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 


Data  Handling  Audit 
Audit  5 

Procedures  to  conduct  a  periodic  audit  of  the  data 
preparation  process.     The  audit  verifies  confor- 
mance to  controls  dictated  by  policies,  standards, 
and  procedures . 

To  detect  unauthorized  modification,  destruction, 
gr  disclosure  of  data  or  nonconformance  to 
standards . 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DME,  DDeE,  DDiE 

Retrofit;  Since  the  data  handling  area  offers  the 
most  potential  for  misuse,  it  requires  special 
audits  of  conformance  to  standard  operating 
procedures . 
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NAME: 


Selected  Area  Audit 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Audit  6 

Procedures  and  software  to  collect  and  evaluate 
selected  operating  statistics  to  identify 
unexpected  variations,  such  as  a  high  level  of 
uncollected  receivables.     Actual  values  collected 
are  compared  with  predicted  values. 

To  detect  unauthorized  modification  of  data. 


DMI,  DME 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


Audit  with  Test  Data 


Audit  7 


Procedures  and  software  to  execute  application 
systems,  such  as  payroll  or  accounts  payable, 
using  test  data  sets  to  verify  accuracy  of  systems 
by  comparing  actual  processing  results  with 
predetermined  test  results.     This  safeguard  is 
used  mostly  with  batch  systems. 

To  detect  unauthorized  modification  of  programs. 


PMI,  PME 
Retrofit 
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NAME: 


Computer  Resource  Usage  Audit 


CATEGORY: 
DESCRIPTION: 


PURPOSE ; 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


Audit  8 

Procedures  and  software  to  select,  extract,  and 
analyze  computer  resource  usage  information  and 
compare  it  against  projected  usage  budget. 
Analysis  is  performed  at  the  organization, 
organizational  subdivision,  and  user  levels. 
For  example ,     a  specific  project  may  be  budgeted 
for  2-3  hours  of  terminal  usage  during  any  week. 
If  one  week  the  project  uses  7-10  hours,  a  check 
should  be  made  to  ensure  that  there  is  a  valid 
reason  for  the  extra  usage. 

To  detect  unauthorized  disclosure  (or  theft)  of 
data,  programs  or  services. 


DDil,  PDil,  SST 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Crash  Log  Audit 
Audit  9 

Procedures  and  software  to  collect  and  analyze 
system  crash  information  for  trends  and  evidence 
of  intentional  crashing.     The  intent  is  to  ensure 
that  a  program  exists  for  verifying  that  all 
system  outages  are  explainable. 

To  detect  denial  of  system  service. 


SSD 

Retrofit 


-B14- 


NAME: 


Audit  by  Computer-Aided  Flowcharting 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Audit  10 

Procedures  and  software  to  process  application 
systems  to  automatically  identify  and  present 
logic  paths  and  control  points.     The  flowcharts 
produced  are  then  compared  with  those  provided  by 
the  programmer  to  identify  inconsistencies. 

To  detect  unauthorized  modification  of  programs. 


PMI,  PME 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Generalized  Audit  Software 
Audit  11 

Procedures  and  software  to  access,  extract, 
manipulate,  and  present  data  and  test  results 
in  a  format  appropriate  to  internal  audit  objectives 
A  number  of  generalized  audit  software  packages 
are  commercially  available  that  offer  various 
degrees  of  sophistication. 

To  detect  unauthorized  modification  of  data. 


DMI,  DME 

Retrofit 


-B15- 


NAME: 


Snapshot  Audit 


CATEGORY: 
DESCRIPTION: 


PURPOSE ; 


Audit  12 

Procedures  and  software  to  be  embedded  in 
application  systems  that  allow  for  recording  the 
contents  of  main  memory  at  critical  decision 
points  within  the  application  process.    The  intent 
of  this  safeguard  is  to  allow  the  auditor  an 
opportunity  to  examine  logic  paths  during  execution 
of  the  program. 

To  detect  unauthorized  modification  of  programs. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


PMI,  PME 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


Audit  from  Terminal 
Audit  13 

Procedures  and  software  to  allow  the  ADP  auditor 
to  access,  extract,  manipulate,  and  display  on-line 
data  base  information  using  a  remote  terminal. 
This  tjrpe  of  safeguard  is  essentially  the  generalized 
audit  software  safeguard  (Audit  11)  for  use  in 
auditing  on-line  systems. 

To  detect  unauthorized  modification  of  data. 


DMI,  DME 
Retrofit 


-B16- 


NAME: 


Library  Usage  Audit 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 


Audit  14 

Procedures  and  software  to  record  and  review  the 
number  of  references  to  sensitive  library  modules 
by  each  application  system  or  user  and  to  verify 
the  reasonableness  of  these  entries.     For  example, 
if  a  user  requests  a  specific  tape  more  often  than 
usual  during  a  given  time  span,  the  auditor  should 
verify  that  the  requests  were  in  accord  with  the 
user's  work  requirements. 

To  detect  unauthorized  modification  or  disclosure 
of  data  or  programs . 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDil,  PMI,  PDil,  DME,  DDiE ,  PME,  PDiE 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 


Late  Processing  Audit 
Audit  15 

Procedures  and  software  to  collect  additional 
information  on  all  jobs  that  are  completed  after 
their  due  dates  and  times.     The  intent  of  the  audit 
is  to  ensure  that  control  guidelines  are  not  com- 
promised as  a  consequence  of  the  late  processing. 

To  detect  unauthorized  modification  of  data  or 
programs . 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  PMI,  DME,  PME 
Retrofit 


-B17- 


NAME: 


Application  System  Design  Verification 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Audit  16 

Procedures,  software,  and  guidelines  to  ensure 
that  ADP  auditors  verify  the  quantity  and  quality 
of  internal  controls  specified  by  the  user  depart- 
ments for  inclusion  in  all  new  application  systems. 
The  verification  should  take  place  both  before  and 
after  installation. 

To  prevent  all  defined  misuses. 


All 


Retrofit;  This  safeguard  is  the  highest  ranking 
prevention  tool  because  it  is  believed  that  a  very 
large  number  of  misuses  would  have  been  prevented 
had  organizations  designed  controls  into  the 
application  system  and  taken  steps  to  ensure  that 
the  controls  were  adequate  and  working  before 
the  system  was  declared  operational. 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 


Operations  Area  Surveillance 
Security  1 

Procedures  and  facilities  to  effect  continuous 
surveillance  of  terminal  and  computer  center  at 
all  times  and  of  terminal  areas  during  off-hours. 
Closed  circuit  TV  (CCTV)  can  be  used  either 
manned  or  with  video  tape  recording. 

To  detect  unauthorized  modification,  destruction, 
and  disclosure  (or  theft)  of  data,  programs, 
system  equipment,  or  supplies. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 


DME,  DDeE,  DDiE ,  PME ,  PDeE,  PDiE,  CE&SM,  CE&SDe, 
CE&ST 


COMMENTS : 


Retrofit;  This  safeguard  was  the  highest  ranking 
detection  tool  because  of  the  large  number  of 
incidents  in  which  an  employee  or  perpetrator 
destroyed  facilities,  data  or  programs  left  in 
unmonitored  areas. 


-B18- 


NAME:  Area  Alarm  System 

CATEGORY:  Security  2 


DESCRIPTION:  Software  and  facilities  that  provide  for  an  alarm 

system  to  detect  and  record  access  to  all  critical 
areas,  such  as  terminal  room,  supply  room  and 
computer  center.     Commercially  available  mini- 
computer-based systems  provide  an  example. 

PURPOSE:  To  detect  unauthorized  modification  of  data, 

programs,  or  system  equipment;  destruction  of 
data,  programs,  system  equipment,  or  supplies; 
and  disclosure  (or  theft)  of  data,  programs, 
system  equipment,  or  supplies. 


APPLICABLE 
VULNERABILITY 

CATEGORIES:  DME ,  DDeE  ,  DDiE ,  PME,  PDeE,  PDiE,  CSSsEM, 

CS&EDe,  CS&ET 

COMMENTS:  Retrofit;  Many  cases  exist  in  which  perpetrators 

were  allowed  access  to  areas  where  they  should  not 
have  been,  but  no  one  had  the  ability  to  detect 
their  presence 


-B19- 


NAME: 


Data  Center  Access  Control 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 


Security  3 

Procedures  to  restrict  and  control  access  to  the 
data  center  including  an  authorized  access  list 
and  a  log  for  all  entering  and  leaving  the  data 
center.     Aspects  of  this  safeguard  may  be  automated 
using  devices  such  as  man-traps  or  badge  readers. 

To  prevent  unauthorized  modification,  destruction, 
or  theft   of  system  equipment  or  supplies  and 
denial  of  system  service. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


CESsSM,    CE&SDe,  CE&ST,  SSD 

Retrofit;  In  many  cases,  equipment  was  destroyed 
by  demonstrators  who  were  able  to  easily  gain 
access  to  computer  facilities  or  by  persons  who 
should  not  have  been  allowed  in  the  center,  even 
though  they  were  employees  of  the  company. 


NAME: 

CATEGORY: 

DESCRIPTION: 

PURPOSE : 


Fire  Detection  and  Extinquishment 
Security  4 

Procedures  and  facilities  to  provide  fire 
detection  and  extinquishment  protection  for  all 
computer  and  user  areas . 

To  prevent  destruction  of  data,  programs,  computer 
equipment,  supplies  and  services. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DDeE,  PDeE,  CE&SDe,  SSD 

Retrofit  is  possible,  albeit  with  some  difficulty; 
A  number  of  fire  bombings  during  the  late  1960 's 
caused  extensive  fire  damage  to  unprotected  centers < 


-B20- 


NAME: 


Internal  Tampering  Alarms 


CATEGORY : 
DESCRIPTION: 


PURPOSE ; 


Security  5 

Facilities  to  provide  terminals  and  other  remote 
devices  with  internal  tampering  alarms ,  including 
alarms  against  unplugging.     This  safeguard  is 
an  extension  of  safeguard  Security  2, 
Area  Alarm  Sj^stem. 

To  prevent  unauthorized  modification  or  theft 
of  terminals  and  other  such  equipment. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


CE&SM,  CE&ST 

Difficult  safeguard  to  apply  without  replacing 
terminals . 


NAME: 

CATEGORY: 

DESCRIPTION: 

PURPOSE : 


Metal  Detector 
Security  6 

Procedures  and  facilities  to  provide  for  metal 
detection  at  the  entrance  to  the  computer  center 
and  remote  computing  facilities. 

To  prevent  destruction  or  theft  of  system  equipment 
or  supplies , 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


CE&SDe,  CE&ST 
Retrofit 


-B21- 


NAME: 


X-Ray  Surveillance 


CATEGORY : 
DESCRIPTION: 


PURPOSE : 


Security  7 

Procedures  and  facilities  to  allow  for  X-ray  of 
all  packages,  brief  cases,  tool  boxes,  and  Other 
such  items  leaving  areas  in  which  sensitive 
material  is  stored. 

To  prevent  disclosure  of  data  or  programs  and 
theft  of  system  equipment. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DDiE,  PDiE,  CE&ST 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 


Package  Control 
Security  8 

Procedures  and  facilities  to  provide  for  outgoing 
package  control  leaving  areas  in  which  sensitive 
material  is  stored,  such  as  the  tape  and  disk  pack 
storage  area.     (This  safeguard  may  be  used  in  place 
of  an  X-ray  machine.) 

To  prevent  unauthorized  disclosure  (or  theft)  of 
data,  programs,  computer  equipment,  or  supplies. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DDiE,  PDiE,  CE&ST 
Retrofit 


-B22- 


NAME: 


Off-site  Storage 


CATEGORY: 
DESCRIPTION: 

PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Security  9 

Procedures  and  facilities  to  effect  secure  off-site 
storage  for  copies  of  critical  data  files,  programs, 
and  documentation. 

To  prevent  denial  of  system  service. 


SSD 

Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE ; 


Computer  Inventory  Control 
Data  Processing  1 

Procedures  and  software  to  effect  inventory 
control  of  computer  equipment,  hardware  replacement 
parts,  unused  media,  and  supplies,  at  all  locations 
from  arrival  to  end  of  useful  life.     The  intent  is 
to  ensure  a  complete  and  consistent  inventory 
control  program  that  provides  the  auditor  with 
sufficient  information  to  verify  the  status  of 
all  inventory. 

To  detect  modification  or  theft  of  system  equipment 
and  supplies. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


CE85SM,  CE&ST 
Retrofit 


-B23- 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


Bill  Back  System 
Data  Processing  2 

Policy,  procedures,  and  software  to  provide  an 
accounting  system  for  billing  back  all  usage  to 
the  user  organization.  Costs  should  be  broken 
out  by  department,  project  and  person.  To  the 
extent  possible,  costs  should  be  compared  with 
budget  projections. 

To  detect  unauthorized  use  of  system  services. 


SST 

Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 


Password  Protection  System 
Data  Processing  3 

Policy,  procedures,  software,  and  facilities  to 
provide  a  comprehensive  password  protection  system 
to  include  compartmented  initiation,  disbursement, 
storage,  and  change  of  passwords.     This  information 
should  be  secured  using  safes,  encryption,  and  other 
such  means . 

To  prevent  unauthorized  modification  of  data  or 
programs;   destruction  (or  disruption)  of  data, 
programs,  or  services;  and  disclosure  (or  theft) 
of  data,  programs,  or  services. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDel ,  DDil,  PMI ,  PDel ,  PDil ,  SST,  SSD 

Can  be  retrofit  but  with  the  degree  of  difficulty 
dependent  on  the  organization  size  and  usage  of 
computers;  While  password  systems  were  used  in  most 
organizations,  they  were  used  very  poorly,  i.e., 
passwords  were  never  changed  or  were  stored  in  clear 
text  formats  making  it  easy  for  a  person  to  obtain 
the  password. 


-B24- 


NAME: 


Program  Change  Control  Log 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 

APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


Data  Processing  4 

Procedures  and  software  to  effect  complete  control 
over  program  changes.     Included  are  change  logs 
and  documentation  as  well  as  formal  approval 
procedures . 

To  prevent  unauthorized  modification  of  programs. 


PMI ,  PME 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


Utility  Control 
Data  Processing  5 

Policy,  procedures,  and  software  to  identify  and 
control  the  use  of  specific  system  utilities 
that  can  bypass  system  integrity  controls. 


PURPOSE : 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


To  prevent  unauthorized  modification  of  data  or 
programs  and  denial  of  system  services. 


DMI,  DDel,  DDil ,  PMI,  PDel ,  PDil ,  SSD 
Retrofit 


-B25- 


NAME: 


Application  System  Test 


CATEGORY: 


Application  Interface  1 

(Data  Processing/System  Control) 


DESCRIPTION: 


Procedures,  software,  and  guidelines  to  ensure 
thorough  testing  of  application  systems  before 
operational  status  is  acquired.     Test  items  include 
internal  controls,  programming  standard  conventions, 
errors  of  omission  and  commission  as  well  as 
recovery  capability. 


PURPOSE : 


To  prevent  application  system  failure. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 


DMI,  DDel,  DDil,  PMI ,  PDel ,  PDil,  SSD,  SST 


COMMENTS ; 


Retrofit;  A  number  of  misuses  identified  were  a 
result  of  improperly  tested  systems.     This  was 
especially  true  in  the  university  environment  where 
students  found  ways  to  crash  the  system. 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE : 


Program  Standards 

Application  Interface  2 

(Data  Processing/System  Control) 

Procedures  and  software  to  ensure  that  all  programs 
use  accepted  agency  programming  standards  that 
might  include  items  such  as  register  conventions, 
standard  parameter  conventions  and  such. 

To  prevent  unauthorized  modification  or  disclosure 
of  data  or  programs . 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDel,  DDil,  PMI,  PDel,  PDil,  SST,  SSD 
Retrofit 


-B26- 


NAME: 


Test  Isolation  Control 


CATEGORY: 


Application  Interface  3 

(Data  Processing/System  Control) 


DESCRIPTION: 


Procedures,  software,  and  hardware  to  isolate  test 
systems  from  production  systems ,  test  data  from 
live  data,  at  all  times.     This  isolation  is  accom- 
plished by  using  hardware  and  software  configuration 
controls. 


PURPOSE : 


To  prevent  unauthorized  modification  or  disclosure 
of  data. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDil 
Retrofit 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE ; 


Internal  Standard  Label  Control 

Application  Interface  4 

(Data  Processing/System  Control) 

Procedures  and  software  to  ensure  that  application 
systems  use  standard  labels  for  tapes,  disks,  and 
other  removable  media,  to  avoid  bypassing  system 
controls . 

To  prevent  unauthorized  modification  or  disclosure 
of  data  or  programs . 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DMI,  DDil,  PMI,  PDil 
Retrofit 


-B27- 


NAME: 


Documentation  Control 


CATEGORY: 


Application  Interface  5 

(Data  Processing/System  Control) 


DESCRIPTION: 


Procedures,  software,  and  facilities  to  control 
access  to  system  and  application  documentation, 
stored  in  any  format  or  medium. 


PURPOSE : 


To  prevent  denial  or  theft  of  system  service. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


SST,  SSD 
Retrofit 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE : 


User  Command  Log 

Internal  Control  1 

(Data  Processing/System  Control) 

Procedures  and  software  to  enable  logging  of  user 
commands.     The  organization  should  establish 
application  system  standards  that  would  require 
a  selective  logging  capability  for  user  commands. 

To  detect  unauthorized  actions  and  monitor  command 
activity  by  users. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DMI,  DDel,  DDil,  PMI ,  PDel ,  PDil ,  SSD,  SST 

Retrofit;  Users  should  be  restricted  to  the  fewest 
number  of  commands  necessary  to  accomplish  their 
task.     In  addition,  application  systems  should  have 
the  capability  to  identify  what  commands  were 
executed  by  each  user  at  any  time. 


-B28- 


NAME: 


Data  Transformation 


CATEGORY: 


Internal  Control  2 

(Data  Processing/System  Control) 


DESCRIPTION: 


Procedures  and  software  that  allow  for  storage 
of  critical  data  elements  in  a  slightly  transformed 
format  reversing  the  transformation  before  the 
data  are  used  by  application  systems. 


PURPOSE ; 


To  detect  unauthorized  disclosure  of  data, 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 


DDil ,  DDiE 


COMMENTS : 


Retrofit;  This  safeguard  ranked  so  high  because 
it  worked  very  well  against  a  few  specific  cases 
in  a  vulnerability  category  with  few  cases. 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE : 


Sensitive  File  Access  Log 

Internal  Control  3 

(Data  Processing/System  Control) 

Procedures  and  software  to  log  all  accesses , 
either  by  system  programs  or  application  programs, 
to  files  designated  "sensitive"  by  the  security 
administrator.     The  intent  is  to  ensure  an  extra 
level  of  protection  for  "sensitive"  files. 

To  detect  unauthorized  accesses  to  sensitive  files 
and  generally  monitor  file  access  activity. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDel,  DDil,  PMI ,  PDel ,  PDil,  SSD  ,  SST 

Retrofit;  In  many  of  the  cases  reviewed,  "sensitive' 
files  were  protected  in  the  same  manner  as 
"nonsensiti ve"  files. 


-B29- 


NAME: 


Operator  Console  Log 


CATEGORY: 


DESCRIPTION: 


Internal  Control  4 

(Data  Processing/System  Control) 

Procedures  and  software  to  log  specified  commands 
issued  at  the  operator  console.     For  example,  all 
privileged  commands  that  allow  modification  of 
programs  and/or  data  in  main  memory  should  be 
monitored . 


PURPOSE : 


To  detect  unauthorized  actions  and  to  monitor 
command  activity  at  the  operator  console. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DMI,  DDel,  DDil,  PMI ,  PDel ,  PDil ,  SSD ,  SST 
Retrofit 


NAME: 
CATEGORY: 

DESCRIPTION; 


PURPOSE : 

APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


IPL  Check 

Internal  Control  5 

(Data  Processing/System  Control) 

Procedures  and  software  for  use  at  initial  program 
load  (IPL)  time  to  compare  current  system  libraries 
against  verified  baseline  system.  Checksum 
programs  that  perform  a  special  algorithm  on 
each  module  are  an  example. 

To  detect  unauthorized  modification  of  programs. 


PMI ,  PME 
Retrofit 


-B30- 


NAME: 


Improper  Log -on  Control 


CATEGORY: 


DESCRIPTION; 


PURPOSE ; 


Internal  Control  6 

(Data  Processing/System  Control) 

Procedures  and  software  to  detect  repeated  attempts 
to  log-on.     For  example,     after  three  or  four 
unsuccessful  log-on  attempts,  a  message  might  be 
sent  to  the  console  operator  or  to  the  security 
administrator's  console  for  appropriate  action. 

To  detect  unauthorized  modification  of  data  or 
programs;  destruction  (or  disruption)  of  data, 
programs,  or  services;  and  disclosure  (or  theft) 
of  data,  programs,  or  services. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDel,  DDil,  PMI ,  PDel ,  PDil ,  SST,  SSD 
Retrofit 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE ; 


Nonpassword  Terminal  User  Verification 

Internal  Control  7 

(Data  Processing/System  Control) 

Procedures,  software,   and  hardware  to  effect 
positive  system  verification  of  users  at  all 
terminals.     Possible  approaches  include  the  use 
of  ID  cards  and  readers,  handprint  identifiers, 
or  voice  print  identifiers. 

To  prevent  unauthorized  modification,  destruction, 
or  disclosure  of  intellectual  property  or  denial 
or  theft  of  service  or  process. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DMI,  DDel,  DDil,  PMI,  PDel,  PDil,  SST,  SSD 

Difficult  safeguard  to  apply  without  replacing  or 
upgrading  terminals. 
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NAME: 


Store  and  Fetch  Protection 


CATEGORY: 


Internal  Control  8 

(Data  Processing/System  Control) 


DESCRIPTION: 


Software  and  hardware  to  effect  store  and  fetch 
protection  for  both  main  and  secondary  storage. 
The  intent  of  this  safeguard  is  to  confine  the 
application  system  to  its  authorized  storage 
areas . 


PURPOSE : 


To  prevent  unauthorized  modification  or  disclosure 
of  data  or  programs;  or  theft  or  denial  of 
service  or  process. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 


DMI,  DDel,  DDil,  PMI ,  PDel ,  PDil ,  SSD,  SST 


COMMENTS : 


Difficult  to  retrofit  unless  hardware  capability 
is  already  present. 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE : 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


Least  Privilege  Principle 

Internal  Control  9 

(Data  Processing/System  Control) 

Procedures  and  software  to  check  privileged  commands 
to  ensure  that  privilege  requested  is  authorized 
for  that  individual  or  process.     This  check  might 
be  accomplished  through  use  of  a  special  system 
authorization  table. 

To  prevent  unauthorized  modification  or  disclosure 
of  data  or  programs. 


DMI,  DDil,  PMI,  PDil 
Retrofit 
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NAME: 


Privileged  Use  Controls 


CATEGORY: 


DESCRIPTION: 


PURPOSE: 


Internal  Control  10 

(Data  Processing/System  Control) 

Procedures  and  software  to  ensure  that  a  special 
password  system  exists  for  privileged  users,  such 
as  operators  or  system  programmers.     For  example, 
this  system  may  allow  for  daily  change  of 
privileged  use  passwords. 

To  prevent  unauthorized  modification  of  data  or 
programs;  destruction  (or  disruption)  of  data, 
programs,  or  services;  and  disclosure  (or  theft) 
of  data,  programs,  or  services. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DMI,  DDel,  DDil,  PMI ,  PDel ,  PDil ,  SST,  SSD 
Retrofit 


NAME : 
CATEGORY: 

DESCRIPTION: 


PURPOSE : 


Secondary  Storage  Passwords 

Internal  Control  11 

(Data  Processing/System  Control) 

Procedures  and  software  to  enable  password  pro- 
tection for  programs  and  sensitive  data  maintained 
on  secondary  storage.     The  intent  of  this  safeguard 
is  to  add  a  second  level  of  password  protection. 

To  prevent  unauthorized  modification,  destruction, 
or  disclosure  of  data  or  programs. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDel,  DDil,  PMI,  PDel,  PDil 
Retrofit 
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NAME: 


Device  ID 


CATEGORY: 


Internal  Control  12 

(Data  Processing/System  Control) 


DESCRIPTION: 


Software  and  hardware  to  make  serial  number  ID 
of  various  equipment  components  accessible  to 
programs.     This  is  of  special  utility  in  pro- 
viding positive  identification  of  terminals  and 
devices  interacting  with  an  application  system. 


PURPOSE : 


To  prevent  unauthorized  modification  or  disclosure 
of  data  or  programs . 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 


DMI,  DDil,  PMI,  PDil 


COMMENTS ; 


Difficult  to  retrofit  unless  hardware  capability 
is  already  present. 


NAME: 
CATEGORY: 

DESCRIPTION: 
PURPOSE : 


Off-hour  Terminal  Disconnect 

Internal  Control  13 

(Data  Processing/System  Control) 

Procedures  or  software  to  disconnect  unneeded 
communication  lines  from  system  during  off 
hours . 

To  prevent  unauthorized  modification,  destruction, 
or  disclosure  of  intellectual  property  or  denial 
or  theft  of  service  or  process. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDel,  DDil,  PMI,  PDel ,  PDil,  SST,  SSD 
Retrofit 
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NAME: 


Password  Generation 


CATEGORY : 


DESCRIPTION: 


PURPOSE ; 


Internal  Control  14 

(Data  Processing/System  Control) 

Procedures  and  software  to  ensure  generation  of 
passwords  that  are  difficult  to  guess  or  determine 
programatically . 

To  prevent  unauthorized  modification  of  data  or 
programs;  destruction  (or  disruption)  of  data, 
programs,  or  services;  and  disclosure  (or  theft) 
of  data,  programs,  or  services. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDel,  DDil,  PMI ,  PDel ,  PDil ,  SST,  SSD 
Retrofit 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE 


Password  Print  Suppress 

Internal  Control  15 

(Data  Processing/System  Control) 

Procedures,  software,  and  hardware  to  inhibit 
the  display  of  passwords  entered  at  a  terminal 
by  the  user.     In  some  cases,  an  underprint 
facility  may  be  satisfactory. 

To  prevent  unauthorized  modification,  destruction, 
or  disclosure  of  intellectual  property  or  denial 
or  theft  of  service  or  process. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDel,  DDil,  PMI,  PDel,  PDil,  SST,  SSD 
Retrofit 
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NAME: 


System  Masquerade  Control 


CATEGORY: 


DESCRIPTION: 


PURPOSE ; 


Internal  Control  16 

(Data  Processing/System  Control) 

Software  and  hardware  to  prevent  a  user  from 
issuing  system-like  prompts  to  a  terminal. 
The  intent  is  to  ensure  that  users  are  not  able 
to  obtain  sensitive  identification  information 
from  other  users  by  masquerading  as  the  system. 

To  prevent  unauthorized  modification,  destruction, 
or  disclosure  of  intellectual  property  or  denial 
or  theft  of  service  or  process. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DMI,  DDel ,  DDil,  PMI ,  PDel ,  PDil ,  SST,  SSD 
Retrofit 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Simultaneous  Access  Control 

Internal  Control  17 

(Data  Processing/System  Control) 

Software  and  hardware  to  prevent  simultaneous 
access  to  data  in  modes  that  would  allow  un- 
authorized modification.     For  example^  a  file 
should  be  lockable  from  the  time  a  record  is 
modified  until  appropriate  control  entries  have 
been  made  in  the  master  file  and  history  file. 

To  prevent  unauthorized  data  modification. 


DMI 


Difficult  to  retrofit  unless  hardware  capability 
is  already  present. 
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NAME: 


Storage  Purge 


CATEGORY: 


DESCRIPTION: 


Internal  Control  18 

(Data  Processing/System  Control) 

Procedures,  software,  and  hardware  to  overwrite  all 
types  of  storage  after  use  for  sensitive  processing. 
The  intent  is  to  discourage  scavenging  through 
residue  information  on  magnetic  medium. 


PURPOSE : 


To  prevent  unauthorized  disclosure  of  data  or 
programs . 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DDil,  PDil 
Retrofit 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE : 


Processing  Time  Control 

Internal  Control  19 

(Data  Processing/System  Control) 

Procedures  and  software  to  check  actual  time  of 
use  against  authorized  time  for  the  application. 
The  intent  is  to  restrict  application  systems 
to  certain  times  of  the  day,  month,  or  year  for 
which  it  is  authorized. 

To  prevent  unauthorized  use  or  denial  of  system 
service , 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


SST,  SSD 
Retrofit 
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NAME: 


Hardware  Monitors 


CATEGORY: 


Hardware  Support  1 

(Data  Processing/System  Control) 


DESCRIPTION: 


Procedures,  software,  hardware,  and  facilities 
to  monitor  channel  usage  by  application  system 
or  location  over  time  and  match  actual  usage 
with  predicted  or  historical  usage  records. 


PURPOSE : 


To  detect  theft  of  system  services. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


SST 

Retrofit 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


Remote  Encryption  Capability 

Hardware  Support  2 

(Data  Processing/System  Control) 

Software,  hardware,  and/or  facilities  to  provide 
encryption  capability  for  storing  and  processing 
sensitive  data  at  remote  data  processing  facilities, 
This  capability  must  be  consistent  with  the 
encryption  mechanisms  in  use  at  the  central 
facility. 

To  prevent  unauthorized  disclosure  of  data. 


DDiE 

Retrofit 
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NAME: 


Encryption  for  Transport 


CATEGORY: 


Hardware  Support  3 

(Data  Processing/System  Control) 


DESCRIPTION: 


Software  and  facilities  to  encrypt  data  that  are 
to  be  transported  by  a  third  party  outside  the 
computer  facility. 


PURPOSE : 


To  prevent  unauthorized  disclosure  of  data. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DDiE 

Retrofit 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE ; 


Communication  Encryption 

Hardware  Support  4 

(Data  Processing/System  Control) 

Software  and  hardware  to  provide  encryption  of 
information  passing  over  communication  lines. 
Of  particular  interest  is  transmission  of  data 
over  low-speed  lines  between  terminal  and  computer, 

To  prevent  unauthorized  disclosure  of  data. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 


DDil 


COMMENTS : 


Retrofit  is  possible,  but  difficult. 
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NAME: 


Alternate  Communication  Paths 


CATEGORY: 


Hardware  Support  5 

(Data  Processing/System  Control) 


DESCRIPTION: 


Hardware  and  facilities  to  ensure  that  alternative 
communication  paths  exist  for  critical  on-line 
systems.     For  example,  ensure  duplicate  paths 
exist  between  the  computer  facility  and  the 
telephone  company  central  office. 


PURPOSE ; 


To  prevent  denial  of  system  service. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 


SSD 


COMMENTS : 


Retrofit  is  possible  but  with  difficulty  and 
expense. 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 


Media  Usage  Log 

Operations  1  (Data  Processing) 

Procedures  to  log  all  movement  and  usage  of 
removable,  sensitive  media,  possibly  using 
controlled  external  labels  and  times  of  the 
mount  and  dismount  by  job  and  user. 

To  detect  unauthorized  modification  or  disclosure 
of  data  or  programs  or  unauthorized  use. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DMI,  DDel ,  DDil,  PMI ,  PDel ,  PDil ,  SST 
Retrofit 
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NAME: 


I/O  Data  Control 


CATEGORY: 


Operations  2  (Data  Processing) 

Data  Handling  2  (Operations  Division) 


DESCRIPTION: 


Procedures  to  ensure  that  specific  control  points 
exist  for  data  movement  throughout  the  user  area. 
The  intent  is  to  provide  for  traceability  and 
accountability. 


PURPOSE : 


To  prevent  unauthorized  modification  or  disclosure 
of  data  or  programs . 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 


DME,   DDiE,  PME,  PDiE 


COMMENTS : 


Retrofit;  The  most  numerous  incidents  of  misuse 
identified  are  in  the  data-handling  areas  outside 
the  computer  system.     Each  organization  has  to 
develop  specific  control  points  that  are  meaningful 
with  the  context  of  its  environment. 


NAME: 
CATEGORY: 

DESCRIPTION: 


PURPOSE : 


I/O  Data  Storage 

Operations  3  (Data  Processing) 

Data  Handling  3  (Operations  Division) 

Procedures  and  facilities  to  provide  lockable 
storage  for  sensitive  data,  programs,  and  reports. 
This  safeguard  is  not  directed  at  government, 
classified  material. 

To  prevent  unauthorized  modification,  destruction, 
or  disclosure  of  data  or  programs. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DME,  DDeE,  DDiE,  PME,  PDeE ,  PDiE 

Retrofit;  In  a  large  number  of  cases,  had  safes 
or  other  lockable  storage  been  used,  not  only 
would  much  of  the  data  disclosure  problem  been 
solved,  but  also  much  of  the  data  and  program 
destruction  problem  would  have  been  reduced. 
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NAME: 

Tape/Disk  Movement  Control 

CATEGORY: 

Operations  4  (Data  Processing) 

DESCRIPTION: 

Procedures  and  software  to  ensure  control  of 
movement  of  removable  media  through  the  operations 
area.     This  includes  a  capability  for  traceability 
and  accountability.     This  safeguard  includes 
requirement  for  external  labels  on  all  media. 

PURPOSE : 

To  prevent  unauthorized  disclosure  of  data  or 
programs . 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

DDiE ,  PDiE 

COMMENTS : 

Retrofit 

NAME: 

External  Sensitive  Area  Access  Control 

CATEGORY: 

Operations  5  (Data  Processing) 

Data  Handling  5  (Operations  Division) 

DESCRIPTION: 

Procedures  and  facilities  to  deny  or  control 
unauthorized  personnel  access  to  sensitive  user 
work  areas.     The  intent  of  this  safeguard  is  to 
ensure  that  a  minimum  number  of  people  have  access 
to  user  work  areas  where  they  might  be  able  to 
change  records  that  are  in  a  format  they  under- 
stand. 

PURPOSE : 

To  prevent  unauthorized  modification,  destruction, 
or  disclosure  of  data  or  programs.  • 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

DME ,  DDeE ,  DDiE ,  PME ,  PDeE ,  PDiE 

COMMENTS : 

Retrofit 
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NAME: 


Sensitive  Operator  Input  Control 


CATEGORY: 
DESCRI^ION: 


PURPOSE : 


Operations  6  (Data  Processing) 

Procedures  and  software  to  restrict  and  control 
sensitive  inputs  and  adjustments  that  can  be  made 
at  the  operator  console  without  special  authoriza- 
tion.    The  intent  of  this  safeguard  is  to  ensure 
that  systems  are  designed  or  modified  so  as  to 
minimize  operator  involvement. 

To  prevent  modification  and  disclosure  of  data  or 
programs . 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDil,  PMI,  PDil 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


File  Backup  Standard 

Operations  7  (Data  Processing) 

Procedures  and  software  to  ensure  backup  of 
critical  files.     This  safeguard  includes  the 
requirement  of  a  backup  schedule  for  all  files  and 
programs  to  prompt  operations  personnel  when  back- 
ups are  required.     It  also  includes  provision  for 
proper  user  notification  and  supervision. 

To  prevent  denial  of  system  service. 


SSD 

Retrofit 
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NAME: 


Card  Password  Protection 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 


Operations  8  (Data  Processing) 

Procedures  to  ensure  protection  of  pass  'ord 
information  in  punched  cards,  e.g.,  in  JCL 
decks.     For  example,     the  safeguard  might  call  for- 
users  to  place  their  own  card  decks  in  the  card 
reader . 

To  prevent  unauthorized  modification,  destruction, 
or  disclosure  of  intellectual  property  or  denial 
or  theft  of  service  or  process. 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


DMI ,  DDel ,  DDil ,  PMI ,  PDel ,  PDil ,  SST,  SSD 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 

APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


Sensitive  Forms  Control 
Operations  9  (Data  Processing) 

Procedures  to  ensure  that  sensitive  forms,  such  as 
checks  and  certificates  are  properly  controlled 
and  secured.     For  example:     Each  set  of  serially- 
numbered  forms  should  be  maintained  in  such  a 
manner  that  an  audit  can  account  for  all  forms  used 
and  remaining  in  storage. 

To  prevent  theft  of  forms. 


CEStST 
Retrofit 
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NAME: 


Expiration  Date  Control 


CATEGORY: 
DESCRIPTION: 


PURPOSE 


APPLICABLE 

VULNERABILITY 

CATEGORIES: 

COMMENTS : 


Operations  10  (Data  Processing) 

Procedures  and  software  to  ensure  that  expiration 
date  mechanisms  are  used  properly  on  all  files 
in  which  such  mechanisms  are  applicable.  The 
intent  of  the  safeguard  is  to  ensure  that 
expiration  dates  are  maintained  and  changed  only 
by  authorized  persons. 

To  prevent  data  and  program  modification  and  denial 
of  system  service. 


DMI ,  PMT ,  SSD 
Retrofit 


NAME: 

CATEGORY: 

DESCRIPTION: 


PURPOSE : 


Console  Configuration  Control 
Operations  11  (Data  Processing) 

Software  and  hardware  to  effect  hardwiring  of  the 
addresses  of  privileged  terminals,  such  as  the 
system  operator  console.     The  intent  of  this 
safeguard  is  to  ensure  that  the  addresses  of 
privileged  terminals  are  not  program-changeable. 

To  prevent  unauthorized  modification,  destruction, 
or  disclosure  of  intellectual  property  or  denial 
or  theft  of  service  or  process. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDel,  DDil,  PMI ,  PDel ,  PDil ,  SST,  SSD 
Retrofit 


NAME: 


Configuration  Control 


CATEGORY: 
DESCRIPTION: 


PURPOSE : 


Operations  12  (Data  Processing) 

Procedures  to  prevent  compromise  of  any  files  in  the 
event  of  a  system  reconfiguration  due  to  mal- 
functioning equipment  or  scheduled  maintenance. 
The  intent  of  the  safeguard  is  to  ensure  that  all 
system  configurations,  including  emergency  con- 
figurations, do  not  allow  data  or  program 
compromise. 

To  prevent  unauthorized  modification  or  disclosure 
of  data  or  programs. 


APPLICABLE 
VULNERABILITY 
CATEGORIES : 

COMMENTS : 


DMI,  DDil,  PMI,  PDil 
Retrofit 


-B46- 


VULNERABILITY  CATEGORY  ABBREVIATIONS 


CE&SDe; 

CE&SM: 

CE&ST: 

DDeE: 

DDel: 

DDiE: 

DDil: 

DME: 
DMI: 
PDeE: 

PDel: 

PDiE: 

PDil: 

PME: 

PMI: 

SSD: 
SST: 


Unauthorized  Destruction  of  Computer  Equipment  or  Supplies 
Unauthorized  Modification  of  Computer  Equipment  or  Supplies 
Theft  of  Computer  Equipment  or  Supplies 

Unauthorized  Destruction  of  Data  External  to  the  Computer  System 

Unauthorized  Destruction  of  Data  Internal  to  the  Computer  System 

Unauthorized  Disclosure  of  Data  Stored  External  to  the 
Computer  System 

Unauthorized  Disclosure  of  Data  Stored  Internal  to  the 
Computer  System 

Unauthorized  Modification  of  Data  External  to  the  Computer  System 

Unauthorized  Modification  of  Data  Internal  to  the  Computer  System 

Unauthorized  Destruction  of  Programs  External  to  the  Computer 
System 

Unauthorized  Destruction  of  Programs  Internal  to  the  Computer 
System 

Unauthorized  Disclosure  of  Programs  Stored  External  to  the 
Computer  System 

Unauthorized  Disclosure  of  Programs  Stored  Internal  to  the 
Computer  System 

Unauthorized  Modification  of  Programs  External  to  the  Computer 
System 

Unauthorized  Modification  of  Programs  Internal  to  the  Computer 
System 

Denial  of  Computer  System  Services 
Unauthorized  Use  of  Computer  System  Services 
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X  y^^^^^      1  /      magazine  of  the  Nation- 
^^^^^■"/^  of  Standards. 

/  /       Still  featured  are  special  ar- 

^^^^f^^Y  /  tides  of  general  interest  on 

ll    /        current  topics  such  as  consum- 
^\^>^y /  product  safety  and  building 

^■^^^  /  technology.  In  addition,  new  sec- 

tions are  designed  to  .  .  .  PROVIDE 
SCIENTISTS  with  illustrated  discussions 
of  recent  technical  developments  and 
work  in  progress  .  .  .  INFORM  INDUSTRIAL 
MANAGERS  of  technology  transfer  activities  in 
Federal  and  private  labs.  .  .  DESCRIBE  TO  MAN- 
UFACTURERS advances  in  the  field  of  voluntary  and 
mandatory  standards.  The  new  DIMENSIONS/NBS  also 
carries  complete  listings  of  upcoming  conferences  to  be 
held  at  NBS  and  reports  on  all  the  latest  NBS  publications, 
with  information  on  how  to  order.  Finally,  each  issue  carries 
a  page  of  News  Briefs,  aimed  at  keeping  scientist  and  consum- 
alike  up  to  date  on  major  developments  at  the  Nation's  physi- 
cal sciences  and  measurement  laboratory. 
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Enter  my  Subscription  To  DIMENSIONS/NBS  at  $12.50.  Add  $3.15  for  foreign  mailing.  No  additional 
postage  is  required  for  mailing  within  the  United  States  or  its  possessions.  Domestic  remittances 
should  be  made  either  by  postal  money  order,  express  money  order,  or  check.  Foreign  remittances 
should  be  made  either  by  international  money  order,  draft  on  an  American  bank,  or  by  UNESCO 
coupons. 
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MHeat 

Manipienl 
Guideliook 

A  typical  plant  can  save  about  20  percent  of  its 
fuel — just  by  installing  waste  heat  recovery  equip- 
ment. But  with  so  much  equipment  on  the  market, 
how  do  you  decide  what's  right  for  you? 

Find  the  answers  to  your  problems  in  the  Waste 
Heat  Management  Guidebook,  a  new  handbook 
from  the  Commerce  Department's  National  Bureau 
of  Standards  and  the  Federal  Energy  Administra- 
tion. 

The  Waste  Heat  Management  Guidebook  is  de- 
signed to  help  you,  the  cost-conscious  engineer  or 
manager,  learn  how  to  capture  and  recycle  heat 
that  is  normally  lost  to  the  environment  during  in- 
dustrial and  commercial  processes. 

The  heart  of  the  guidebook  is  14  case  studies  of 
companies  that  have  recently  installed  waste  heat 
recovery  systems  and  profited.  One  of  these  appli- 
cations may  be  right  for  you,  but  even  if  it  doesn't 
fit  exactly,  you'll  find  helpful  approaches  to  solving 
many  waste  heat  recovery  problems. 


In  addition  to  case  studies,  the  guidebook  contains 
information  on: 

•  sources  and  uses  of  waste  heat 

•  determining  waste  heat  requirements 

•  economics  of  waste  heat  recovery 

•  commercial  options  in  waste  heat  recovery 
equipment 

•  instrumentation 

•  engineering  data  for  waste  heat  recovery 

•  assistance  for  designing  and  installing  waste  ! 
heat  systems  j 

To  order  your  copy  of  the  Waste  Heat  Management 
Guidebook,  send  $2.75  per  copy  (check  or  money 
order)  to  Superintendent  of  Documents,  U.S.  Gov- 
ernment Printing  Office,  Washington,  D.C.  20402. 
A  discount  of  25  percent  is  given  on  orders  of  100 
copies  or  more  mailed  to  one  address. 

The  Waste  Heat  Management  Guidebook  Is  part  of 
the  EPIC  industrial  energy  management  program 
aimed  at  helping  industry  and  commerce  adjust  to 
the  increased  cost  and  shortage  of  energy. 
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ANNOUNCEMENT  OF  NEW  PUBLICATIONS  ON 
COMPUTER  SCIENCE  &  TECHNOLOGY 


Superintendent  of  Documents, 
Government  Printing  Office, 
Washington,  D.  C.  20402 

Pear  Sir: 

Please  add  my  name  to  the  announcement  list  of  new  publications  to  be  issued  in 
the  series:  National  Bureau  of  Standards  Special  Publication  500-. 

Name  

Company  

Address  

City  State  Zip  Code  


(Notification  key  N-503) 


NBS  TECHNICAL  PUBLICATIONS 


PERIODICALS 

JOURNAL  OF  RESEARCH— The  Journal  of  Research 
of  the  National  Bureau  of  Standards  reports  NBS  research 
and  development  in  those  disciplines  of  the  physical  and 
engineering  sciences  in  which  the  Bureau  is  active.  These 
include  physics,  chemistry,  engineering,  mathematics,  and 
computer  sciences.  Papers  cover  a  broad  range  of  subjects, 
with  major  emphasis  on  measurement  methodology,  and 
the  basic  technology  underlying  standardization.  Also  in- 
cluded from  time  to  time  are  survey  articles  on  topics  closely 
related  to  the  Bureau's  technical  and  scientific  programs.  As 
a  special  service  to  subscribers  each  issue  contains  complete 
citations  to  all  recent  NBS  publications  in  NBS  and  non- 
NBS  media.  Issued  six  times  a  year.  Annual  subscription: 
domestic  $17.00;  foreign  $21.25.  Single  copy,  $3.00  domestic; 
$3.75  foreign. 

Note:  The  Journal  was  formerly  published  in  two  sections: 
Section  A  "Physics  and  Chemistry"  and  Section  B  "Mathe- 
matical Sciences." 
DIMENSIONS/NBS  , 

This  monthly  magazine  is  published  to  inform  scientists, 
engineers,  businessmen,  industry,  teachers,  students,  and 
consumers  of  the  latest  advances  in  science  and  technology, 
with  primary  emphasis  on  the  work  at  NBS.  The  magazine 
highlights  and  reviews  such  issues  as  energy  research,  fire 
protection,  building  technology,  metric  conversion,  pollution 
abatement,  health  and  safety,  and  consumer  product  per- 
formance. In  addition,  it  reports  the  results  of  Bureau  pro- 
grams in  measurement  standards  and  techniques,  properties 
of  matter  and  materials,  engineering  standards  and  services, 
instrumentation,  and  automatic  data  processing. 
Annual  subscription:  Domestic,  $12.50;  Foreign  $15.65. 

N0NPERI0DICAL6 

Monographs — Major  contributions  to  the  technical  liter- 
ature on  various  subjects  related  to  the  Bureau's  scientific 
and  technical  activities. 

Handbooks — Recommended  codes  of  engineering  and  indus- 
trial practice  (including  safety  codes)  developed  in  coopera- 
tion with  interested  industries,  professional  organizations, 
and  regulatory  bodies. 

Special  Publications — Include  proceedings  of  conferences 
sponsored  by  NBS,  NBS  annual  reports,  and  other  special 
publications  appropriate  to  this  grouping  such  as  wall  charts, 
pocket  cards,  and  bibliographies. 

Applied  Mathematics  Series — Mathematical  tables,  man- 
uals, and  studies  of  special  interest  to  physicists,  engineers, 
chemists,  biologists,  mathematicians,  computer  programmers, 
and  others  engaged  in  scientific  and  technical  work. 
National  Standard  Reference  Data  Series — Provides  quanti- 
tative data  on  the  physical  and  chemical  properties  of 
materials,  compiled  from  the  world's  literature  and  critically 
evaluated.  Developed  under  a  world-wide  program  co- 
ordinated by  NBS.  Program  under  authority  of  National 
Standard  Data  Act  (Public  Law  90-396). 


NOTE:  At  present  the  principal  publication  outlet  for  these 
data  is  the  Journal  of  Physical  and  Chemical  Reference 
Data  (JPCRD)  published  quarterly  for  NBS  by  the  Ameri- 
can Chemical  Society  (ACS)  and  the  American  Institute  of 
Physics  (AIP).  Subscriptions,  reprints,  and  supplements 
available  from  ACS,  1155  Sixteenth  St.  N.W.,  Wash.,  D.C. 
20056. 

Building  Science  Series — Disseminates  technical  information 
developed  at  the  Bureau  on  building  materials,  components, 
systems,  and  whole  structures.  The  series  presents  research 
results,  test  methods,  and  performance  criteria  related  to  the 
structural  and  environmental  functions  and  the  durability 
and  safety  characteristics  of  building  elements  and  systems. 
Technical  Notes — Studies  or  reports  which  are  complete  in 
themselves  but  restrictive  in  their  treatment  of  a  subject. 
Analogous  to  monographs  but  not  so  comprehensive  in 
scope  or  definitive  in  treatment  of  the  subject  area.  Often 
serve  as  a  vehicle  for  final  reports  of  work  performed  at 
NBS  under  the  sponsorship  of  other  govenunent  agencies. 
Voluntary  Product  Standards — Developed  under  procedures 
published  by  the  Department  of  Commerce  in  Part  10, 
Title  15,  of  the  Code  of  Federal  Regulations.  The  purpose 
of  the  standards  is  to  establish  nationally  recognized  require- 
ments for  products,  and  to  provide  all  concerned  interests 
with  a  basis  for  common  understanding  of  the  characteristics 
of  the  products.  NBS  administers  this  program  as  a  supple- 
ment to  the  activities  of  the  private  sector  standardizing 
organizations. 

Consumer  Information  Series — Practical  information,  based 
on  NBS  research  and  experience,  covering  areas  of  interest 
to  the  consumer.  Easily  understandable  language  and 
illustrations  provide  useful  background  knowledge  for  shop- 
ping in  today's  technological  marketplace. 
Order  above  NBS  publications  from:  Superintendent  of 
Documents,  Government  Printing  Office,  Washington,  D.C. 
20402. 

Order  following  NBS  publications — NBSIR's  and  FIPS  from 
the  National  Technical  Information  Services,  Springfield, 
Va.  22161. 

Federal  Information  Processing  Standards  Publications 
(FIPS  PUB) — Publications  in  this  series  collectively  consti- 
tute the  Federal  Information  Processing  Standards  Register. 
Register  serves  as  the  official  source  of  information  in  the 
Federal  Government  regarding  standards  issued  by  NBS 
pursuant  to  the  Federal  Property  and  Administrative  Serv- 
ices Act  of  1949  as  amended,  Public  Law  89-306  (79  Stat. 
1127),  and  as  implemented  by  Executive  Order  11717 
(38  FR  12315,  dated  May  11,  1973)  and  Part  6  of  Title  15 
CFR  (Code  of  Federal  Regulations). 

NBS  Interagency  Reports  (NBSIR) — ^A  special  series  of 
interim  or  final  reports  on  work  performed  by  NBS  for 
outside  sponsors  (both  government  and  non-government). 
In  general,  initial  distribution  is  handled  by  the  sponsor; 
public  distribution  is  by  the  National  Technical  Information 
Services  (Springfield,  Va.  22161)  in  paper  copy  or  microfiche 
form. 


BIBLIOGRAPHIC  SUBSCRIPTION  SERVICES 


The  following  current-awareness  and  literature-survey  bibli- 
ographies are  issued  periodically  by  the  Bureau: 
Cryogenic  Data  Center  Current  Awareness  Service.  A  litera- 
ture survey  issued  biweekly.  Annual  subscription:  Domes- 
tic, $25.00;  Foreign,  $30.00. 
Liquified  Natural  Gas.  A  literature  survey  issued  quarterly. 
Annual  subscription:  $20.00. 


Superconducting  Devices  and  Materials.  A  literature  survey 
issued  quarterly.  Annual  subscription:  $30.00.  Send  subscrip- 
tion orders  and  remittances  for  the  preceding  bibliographic 
services  to  National  Bureau  of  Standards,  Cryogenic  Data 
Center  (275.02)  Boulder,  Colorado  80302. 
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